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Abstract We present a systematic technique for transforming XACML 3.0 pol- 
icies in Answer Set Programming (ASP). We show that the resulting logic pro- 
gram has a unique answer set that directly corresponds to our formalisation of 
the standard semantics of XACML 3.0 from [9]. We demonstrate how our results 
make it possible to use off-the-shelf ASP solvers to formally verify properties of 
access control policies represented in XACML, such as checking the complete- 
ness of a set of access control policies and verifying policy properties. 
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1 Background 

XACML (extensible Access Control Markup Language) is a prominent access control 
language that is widely adopted both in industry and academia. XACML is an inter- 
national standard in the field of information security and in February 2005, XACML 
version 3.0 was ratified by OASIS. 1 XACML represents a shift from a more static se- 
curity approach as exemplified by ACLs (Access Control Lists) towards a dynamic 
approach, based on Attribute Based Access Control (ABAC) systems. These dynamic 
security concepts are more difficult to understand, audit and interpret in real-world im- 
plications. The use of XACML requires not only the right tools but also well-founded 
concepts for policy creation and management. 

The problem with XACML is that its specification is described in natural language 
(c.f. [11]) and manual analysis of the overall effect and consequences of a large XACML 
policy set is a very daunting and time-consuming task. How can a policy developer 
be certain that the represented policies capture all possible requests? Can they lead to 
conflicting decisions for some request? Do the policies satisfy all required properties? 
These complex problems cannot be solved easily without some automatised support. 

To address this problem we propose a logic-based XACML analysis framework us- 
ing Answer Set Programming (ASP). With ASP we model an XACML Policy Decision 
Point (PDP) that loads XACML policies and evaluates XACML requests against these 
policies. The expressivity of ASP and the existence of efficient implementations of the 
answer set semantics, such as clasp 2 and DLV 3 , provide the means for declarative 
specification and verification of properties of XACML policies. 



1 The Organization for the Advancement of Structured Information Standards (OASIS) is a 
global consortium that drives the development, convergence, and adoption of e-business and 
web service standards. 

' http : / / www . cs . uni -pots dam . de /clasp/ 
3 http : / / www . dlvsystem . com/ 



Our work is depicted in Figure 1 . There are two main modules, viz. the PDP simu- 
lation module and the access control (AC) security property verification module. In the 
first module, we transform an XACML query and XACML policies from the original 
format in XML syntax into abstract syntax which is more compact than the original. 
Subsequently we generate a query program 77 g and XACML policies program II XACML 
that correspond to the XACML query and the XACML policies, respectively. We show 
that the corresponding answer set (AS) of 77g U II XACML is unique and it coincides with 
the semantics of original XACML policy evaluation. In the second module, we demon- 
strate how our results make it possible to use off-the-shelf ASP solvers to formally 
verify properties of AC policies represented in XACML. First we encode the AC secur- 
ity property and a generator for each possible domain of XACML policies into logic 
programs Hag . property and n generator , respectively. The encoding of AC property is in 
the negated formula in order to show at a later stage that each answer set corresponds 
to a counter example that violates the AC property. Together with the combination of 
77x A cml U 77 ac. property U n generat or we show that the XACML policies satisfy the AC 
property when there is no available answer set. 



Figure 1. Translation Process from Original XACML to XACML-ASP 
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Outline. We consider the current version, XACML 3.0, Committee Specification 01,10 
August 2010. in Section 2 we explain the abstract syntax and semantics of XACML 3.0. 
Then we describe the transformation of XACML 3.0 components into logic programs 
in Section 3. We show the relation between XACML 3.0 semantics and the answer sets 
in Section 4. Next, in Section 5, we show how to verify AC properties, such as checking 
the completeness of a set of policies. In Section 6 we discuss the related work. We end 
the paper with conclusions and future work. 

2 XACML 3.0 

In order to avoid superfluous syntax of XACML 3.0, first we present the abstract syn- 
tax of XACML 3.0 which only shows the important components of XACML 3.0. We 
continue the explanation by presenting the semantics of XACML 3.0 components' eval- 
uation based on Committee Specification [11]. We take the work of Ramli et. al work 
[9] as our reference. 



2.1 Abstract Syntax of XACML 3.0 



Table 1 shows the abstract syntax of XACML 3.0. We use bold font for non-terminal 
symbols, typewriter font for terminal symbols and identifiers and values are written 
in italic font. A symbol followed by the star symbol (*) indicates that there are zero or 
more occurrences of that symbol. Similarly, a symbol followed by the plus symbol ( + ) 
indicates that there are one or more occurrences of that symbol. We consider that each 
policy has a unique identifier (ID). We use initial capital letter for XACML components 
such as PolicySet, Policy, Rule, etc., and small letters for English terminology. 



Table 1. Abstraction of XACML 3.0 Components 







XACML Policy Components 


PolicySet 


VS 


::= VSid = [T, {{VS id \ V id )*), CombID] 


Policy 


V 


::=V id = [T, {Hut +>, CombID] 


Rule 


n 


::=n ii = [Effect, T,C] 


Condition 


c 


::=true | / bo °' (oi, . . . , o„) 


Target 


T 


::= null | /\£ + 


AnyOf 


£ 


::=\JA + 


AllOf 


A 


::=AM+ 


Match 


M. 


::= Attr 




CombID 


::= po | do f a ooa 




Effect 


::=p| d 


Attribute 


Attr 


::= category (attribute _value) 






XACML Request Component 


Request 


Q 


::= (Attr | error(Attr)) + 



There are three levels of policies in XACML, namely PolicySet, Policy and Rule. 
PolicySet or Policy can act as the root of a set of access control policies, while Rule is a 
single entity that describes one particular access control policy. Throughout this paper 
we consider that PolicySet is the root of the set of access control policies. 

Both PolicySet and Policy function as containers for a sequence of PolicySet, Policy 
or Rule. A PolicySet contains either a sequence of PolicySet elements or a sequence of 
Policy elements, while a Policy can only contain a sequence of Rule elements. Every 
sequence of PolicySet, Policy or Rule elements has an associated combining algorithm. 
There are four common combining algorithms defined in XACML 3.0, namely permit- 
overrides (po), deny-overrides (do), first-applicable (fa) and only-one-applicable (ooa). 

A Rule describes an individual access control policy. It regulates whether an access 
should be permitted (p) or denied (d). All PolicySet, Policy and Rule are applicable 
whenever their Target matches with the Request. When the Rule's Target matches the 
Request, then the applicability of the Rule is refined by its Condition. 

A Target element identifies the set of decision requests that the parent element is 
intended to evaluate. The Target element must appear as a child of a PolicySet and 
Policy element and may appear as a child of a Rule element. The empty Target for 
Rule element is indicated by null attribute. The Target element contains a conjunctive 
sequence of AnyOf elements. The AnyOf element contains a disjunctive sequence of 
AllOf elements, while the AllOf element contains a conjunctive sequence of Match 
elements. Each Match element specifies an attribute that a Request should match. 



A Condition is a Boolean function over attributes or functions of attributes. In this 
abstraction, the user is free to define the Condition as long as its expression returns a 
Boolean value, i.e., either true or false. Empty Condition is always associated to true. 

A Request contains a set of attribute values for a particular access request and the 
error messages that occurred during the evaluation of attribute values. 



2.2 XACML 3.0 Formal Semantics 

The evaluation of XACML policies starts from the evaluation of Match elements and 
continues bottom-up until the evaluation of the root of the XACML element, i.e., the 
evaluation of PolicySet. For each XACML element X we denote by \X\ a semantic 
function associated to X. To each Request element, this function assigns a value from 
a set of values that depends on the particular type of the XACML element X. For ex- 
ample, the semantic function [XJ, where X is a Match element, ranges over the set 
{ m, nm, idt}, while its range is the set {t, f, idt} when X is a Condition element. 
A further explanation will be given below. An XACML component returns an inde- 
terminate value whenever the decision cannot be made. This happens when there is an 
error during the evaluation process. See [9] for further explanation of the semantics of 
XACML 3.0. 

Evaluation of Match, AUOf, AnyOf and Target Components. Let X be either a 
Match, an AUOf, an AnyOf or a Target component and let Q be a set of all possible 
Requests. A Match semantic function is a mapping [X] : Q — > { m, nm, idt }, where 
m, nm and idt denote match, no-match and indeterminate, respectively. 

Our evaluation of Match element is based on equality function. 4 We check whether 
there are any attribute values in Request element that match the Match attribute value. 

Let Q be a Request element and let M. be a Match element. The evaluation of Match 
M. is as follows 

!m if M e Q and error(Al) £ Q 
nm iSM £ Qanderror(M) g Q (1) 
idt if error(TW) G Q 
The evaluation of AUOf is a conjunction of a sequence of Match elements. The value 
of m, nm and idt corresponds to true, false and undefined in 3-valued logic, respectively. 
Given a Request Q, the evaluation of AUOf, A = A"=i * s as f°ll ows 

'm if Vi : lMi}{Q) = m 
M](Q)=|nm if3*:[ J M j ](Q) = nm (2) 
idt otherwise 

v 

where each Aii is a Match element. 

The evaluation of AnyOf element is a disjunction of a sequence of AUOf elements. 
Given a Request Q, the evaluation of AnyOf, £ = V™=i A> is as follows 

fm if3i:[AKQ) = m 

H(Q)= nm if Vi : [A](Q) = nm (3) 

I idt otherwise 
where each A% is an AUOf element. 



4 Our Match evaluation is a simplification compared with [11]. 



The evaluation of Target element is a conjunction of a sequence of AnyOf elements. 
An empty Target, indicated by null attribute, is always evaluated to m. Given a Re- 
quest Q, the evaluation of Target, T = A"=i * s as f°ll° ws 

{m if Vi : |£J(Q) = m or T = null 
nm if3i:[£](Q) = nm (4) 
idt otherwise 
where each is an AnyOf element. 

Evaluation of Condition. Let X be a Condition component and let Q be a set of all 

possible Requests. A Condition semantic function is a mapping \X} : Q — > { t, f , idt }, 
where t, f and idt denote true, false and indeterminate, respectively. 

The evaluation of Condition element is based on the evaluation of its Boolean func- 
tion as described in its element. To keep it abstract, we do not specify specific functions; 
however, we use an unspecified function, eval, that returns { t, f, idt }. 

Given a Request Q, the evaluation of Condition C is as follows 

[C](Q) = eval(C, Q) (5) 

Evaluation of Rule. Let X be a Rule component and let Q be a set of possible Requests. 
A Rule semantic function is a mapping \X\ : Q —> { p, d, i p , i<j, na }, where p, d, i p , i<j 
and na correspond to permit, deny, indeterminate permit, indeterminate deny and not — 
applicable, respectively. 

Given a Request Q, the evaluation of Rule IZid = [E,T, C] is as follows 

\E if[TJ(Q) = mand[CJ(Q)=t 
M(Q) = ^na if([T](Q) = mand[C](Q)=f)or[T](Q) = nm (6) 
I i e otherwise 

where E is an effect, E E { p, d }, T is a Target element and C is a Condition element. 

Evaluation of Policy and PolicySet. Let X be either a Policy or a PolicySet component 
and let Q be a set of all possible Requests. A Policy semantic function is a mapping 
fX} : Q — > { p, d, i p , id, id P , na }, where p, d, i p , id, id P and na correspond to permit, 
deny, indeterminate permit, indeterminate deny, indeterminate deny permit and not — 
applicable, respectively. 

Given a Request Q, the evaluation of Policy Vu = [T, (TZ\, . . . , TZ n ), CombID] is 
as follows 

'id if[T](<2) = idtand Comb | D (R)=d 



i p if[ri(Q) = idtande Comb|D (R) = p 

na if [T](Q) = nmorV*:[i2 i ](Q) = na 

, ©CombID ( R ) otherwise 
where T is a Target element, and each TZi is a Rule element. We use R to denote 

(I^il(Q),...,M(Q)). 

Note: The combining algorithm denoted by © Comb | D will be explained in Sect. 2.3. 

The evaluation of PolicySet is exactly like the evaluation of Policy except that it 
differs in terms of input parameter. While in Policy we use a sequence of Rule elements 
as an input, in the evaluation of PolicySet we use a sequence of Policy or PolicySet 
elements. 



2.3 XACML Combining Algorithms 

There are four common combining algorithms defined in XACML 3 .0, namely permit- 
overrides (po), deny-overrides (do), first-applicable (fa) and only-one-applicable (ooa). 
In this paper, we do not consider the deny-overrides combining algorithm since it is the 
mirror of the permit-overrides combining algorithm. 

Permit-Overrides (po) Combining Algorithm. The permit-overrides combining algo- 
rithm is intended for use if a permit decision should have priority over a deny decision. 
This algorithm has the following behaviour [11]. 

1. If any decision is "permit", the result is "permit". 

2. Otherwise, if any decision is "indeterminate deny permit", the result is "indeterm- 
inate deny permit". 

3. Otherwise, if any decision is "indeterminate permit" and another decision is "inde- 
terminate deny" or "deny", the result is "indeterminate deny permit". 

4. Otherwise, if any decision is "indeterminate permit", the result is "indeterminate 
permit". 

5. Otherwise, if decision is "deny", the result is "deny". 

6. Otherwise, if any decision is "indeterminate deny", the result is "indeterminate 
deny". 

7. Otherwise, the result is "not applicable". 

Let (si, . . . , s n ) be a sequence of element of { p, d, i p , id, id P , na }. The permit- 
overrides combining operator is defined as follows 

p if 3i : Si = p 
idp if Vz : Si ^ p and 
(3j : sj = i dp 
or (3j,j' : Sj = i p and (sj/ = id or sjr = d)) 
i p if 3i : Si = i p and Vj : Sj ^ i p => Sj = na 
d if 3i : Si = d and Vj : Sj ^ d => (sj = id or Sj = na) 
id if 3i : Si = id and Vj : sj ^ \d => sj = na 
na otherwise 

(8) 

First-Applicable (fa) Combining Algorithm. Each Rule must be evaluated in the order 
in which it is listed in the Policy. If a particular Rule is applicable, then the result of 
first-applicable combining algorithm must be the result of evaluating the Rule. If the 
Rule is "not applicable" then the next Rule in the order must be evaluated. If no further 
Rule in the order exists, then the first-applicable combining algorithm must return "not 
applicable". 

Let (si, . . . , s n ) be a sequence of element of { p, d, i p , id, id P , na }. The first-applicable 
combining operator is defined as follows: 

~ = U if 3, : Si + na and V, : (j < i) => (s 3 = na) 

na otherwise 



0«Sl,...,«n» = < 



Only-One-Applicable (ooa) Combining Algorithm. If only one Policy is considered 
applicable by evaluation of its Target, then the result of the only-one-applicable com- 
bining algorithm must the result of evaluating the Policy. If in the entire sequence of 



Policy elements in the PolicySet, there is no Policy that is applicable, then the result 
of the only-one-applicable combining algorithm must be "not applicable". If more than 
one Policy is considered applicable, then the result of the only-one-applicable combin- 
ing algorithm must be "indeterminate". 

Let (si, . . . , s n ) be a sequence of element of { p, d, i p , id, id P , na }. The only-one- 
applicable combining operator is defined as follows: 

i dp if (3i : Si = i dp ) or 

j ■ i ^ 3 and s i = ( d or id) A sj = (p or i p )) 
i d if (Vi : Si ^ (p or i p or i dp )) and 

((3j : Sj = i d ) or (3j, k : j ^ k and Sj — Sk = d)) 
i p if (Vi : Si ^ (d or id or id p )) and 

: Sj = i p ) or (3j, k : j ± k and sj = s k = p)) 
Si if 3i : Si ^ na and Vj : j ^ i ^> Sj = na 
na otherwise 

(10) 



3 Transforming XACML Components into Logic Programs 

In this section we show, step by step, how to transform XACML 3.0 components into 
logic programs. We begin by introducing the syntax of logic programs (LPs). Then we 
show the transformation of XACML component into LPs starting from Request element 
to PolicySet element. We also present transformations for combining algorithms. The 
transformation of each XACML element is based on its formal semantics explained in 
Sect. 2.2 and Sect. 2.3. 

3.1 Preliminaries 

We recall basic notation and terminology that we use in the remainder of this paper. 

First-Order Language. We consider an alphabet consisting of (finite or countably 
infinite) disjoint sets of variables, constants, function symbols, predicate symbols, con- 
nectives { not, A, <— }, punctuation symbols { "(", ")", "." } and special symbols 
{ T, _L }. We use upper case letters to denote variables and lower case letters to de- 
note constants, function and predicate symbols. Terms, atoms, literals and formulae are 
defined as usual. The language given by an alphabet consists of the set of all formulae 
constructed from the symbols occurring in the alphabet. 

Logic Programs. A rule is an expression of the form 

A <r- Bi A • • • A B m A not B m+1 A • • • A not B n . (11) 

where A is either an atom or _L and each B i7 1 < i < n, is an atom or T. T is a 
valid formula. We usually write B\ A ■ ■ ■ A B m A not B m+ \ A • • • A not B n simply as 
B\, . . . , B m , not B m+ i, . . . , not B n . We call the rule as a constraint when A = _L. 
One should observe that the body of a rule must not be empty. A fact is a rule of the 
form A «- T. 

A logic program is a finite set of rules. We denote ground(n) for the set of all 
ground instances of rules in the program 77. 



3.2 XACML Components Transformation into Logic Programs 

The transformation of XACML components is based on the semantics of each compo- 
nent explained in Sect. 2.2. 

3.2.1 Request Transformation. XACML Syntax: Let Q = { cati(ai), . . . , cat n (a n ) } 
be a Request component. We transform all members of Request element into facts. The 
transformation of Request, Q, into LP TIq is as follows 

cati(ai) T. 1 < i < n 

3.2.2 XACML Policy Components Transformation. We use a two-place function 
va I to indicate the semantics of XACML components where the first argument is the 
name of XACML component and the second argument is its value. Please note that the 
calligraphic font in each transformation indicates the XACML component's name, that 
is, it does not represent a variable in LP. 

Transformation of Match, AnyOf, AllOf and Target Components. Given a semantic 
equation of the form [LY]y(Q) = v if condi and . . . and cond n , we produce a rule 
of the form val(X, v) <— condi, . . . , cond n . Given a semantic equation of the form 
pf]v(Q) = v if condi or ... or cond n , we produce a rule of the form val(A, v) 
condi. 1 < i < n. For example, the Match evaluation [A^KQ) = m if cat(a) e 
Q and error(cat(a)) ^ Q is transformed into a rule in the form val(7W, m) ^— A4, 
not error(A / (). The truth value of M depends on whether M «— T is in 77g and the 
same is the case also for the truth value of error(Al). 

Let A4 be a Match component. The transformation of Match Ai into LP II m is as 
follows (see (1) for Match evaluation) 

va\{M,m) <— M, not error(AI). 
val(A1, nm) -s— not cat(a), not error(Al). 
val(A4,idt) «— error (M). 

Let .4 = A"=i ■M* be an AllOf component where each Mi is a Match component. 
The transformation of AllOf A into LP 77^ is as follows (see (2) for AllOf evaluation) 

val(„4, m) <— val(A4i, m), . . . , va\(M n , m). 
val(^4, nm) <— va^A'l;, nm). (1 < i < n) 
val(^l, idt) <— not val(„4, m), not val(^l, nm). 

Let £ — V"=i -4» be an AnyOf component where each Ai is an AllOf component. 
The transformation of AnyOf £ into LP 77 £ is as follows (see (3) for AnyOf evaluation) 

val(£, m) <— val(A, m). (1 < i < n) 
val(£, nm) val(^4i, nm), . . . , val(^4 n , nm). 
val(£ , idt) <— not val(„4, m), not val(f , nm). 

Let T = Ar=i 71 be a Target component where each £j is an AnyOf component. 
The transformation of Target T into LP 77-r is as follows (see (4) for Target evaluation) 

val(null, m) <— T. 

val(T, m) <— val(5i, m), . . . , val(£" n , m). 
val(T, nm) <— val(£"i, nm). (1 < i < n) 
val(T, idt) <— not val(T, m), not val(T, nm). 



Transformation of Condition Component. The transformation of Condition C into 
LP 77c is as follows 

val(C, V) <r- eval(C,V). 

Moreover, the transformation of Condition also depends on the transformation of eva I 
function into LP. Since we do not describe specific eva I functions, we leave this trans- 
formation to the user. 

Example 1. A possible eva I function for "rule rl: patient only can see his or her patient 
record" is 

77 cond(rl) ■ 

va\(cond(rl), V) <— eva\[cond(rl) , V). 

eva\(cond(rl), t) <— patient Jd(X) , patient jrecordJd(X) , 

not error (patient _id(X)), not error (patient jrecordJ,d(X)). 
eva\(cond(rl), f) 4— patient Jd(X), patient jrecordJ,d(Y), X / Y, 

not error [patient _id(X)) , not error [patient jrecordJd(Y)) . 
e\/a\[cond[rl) , idt) <— not e\/a\[cond[rl) , t), not eval(cond(rl), f). 

The error (patient Sd(X)) and error [patient jrecordJd(X)) indicate possible errors 
that might occur, e.g., the system could not connect to the database so that the system 
does not know the ID of the patient. □ 

Transformation of Rule Component. The general step of the transformation of Rule 
component is similar to the transformation of Match component. 

Let TZ = [e, T, C] be a Rule component where e <E { p, d }, T is a Target and C is 
a Condition. The transformation of Rule TZ into LP 77^. is as follows (see (6) for Rule 
evaluation) 

val(ft,e) <- val(7~, m),val(C,t). 
val(ft, na) <- val(7~, m), val(C, f). 
val(72., na) <— val(T, nm). 
val(7£, i e ) «- not val(7£, e), not val(7£, na). 

Transformation of Policy and PolicySet Components. Given a Policy component 
Vid — [T, (TZi, . . . , Tl n ), CombID] where T is a Target, (JZi, . . . , TZ n ) is a sequence 
of Rule elements and CombID is a combining algorithm identifier. In order to indicate 
that the Policy contains Rule TZi, f° r every Rule TZi £ (TZi , TZ n ), JJ-p id contains: 

dec\s\on_of(Pid,Tli,V) «- va\(Hi,V). (1 < i < n) 

The transformation for Policy 77 into LP H-p id is as follows (see (7) for Policy 
evaluation) 



va\(V id ,\d) <- val(T,idt),algo(ComblD,7 ; ' l( i,d). 
va\(V id , i P ) <- val(T, idt), algo(ComblD, Pd, p). 
va\(Vid, na) <-val(T, nm). 
val^id, na) <— val(7?.i, na), . . . , val(72. n , na). 

val (P id , V") <- val(T,rn),decision_of(7> i<i ,ft, V),V =£ na, algo(ComblD, P id , V). 
va\(Vid,V) <- val(T, idt),decision_of(P i(i ,ft, V), V / na, algo(ComblD, V id , V), V ± p. 
va\(V id , V) <- val(T, idt), decision.of(Pid, TZ, V), V =fi na, algo(ComblD, Vid, V), V d. 



We write a formula decision_of (Vid, Tl, V), V ^ na to make sure that there is a Rule 
in the Policy that is not evaluated to na. We do this to avoid a return value from a com- 
bining algorithm that is not na, even tough all of the Rule elements are evaluated to na. 
The transformation of PolicySet is similar to the transformation of Policy component. 



3.3 Combining Algorithm Transformation 



We define generic LPs for permit-overrides combining algori thm and only-one-applicable 
combining algorithm. Therefore, we use a variable P to indicate a variable over Policy 
identifier and R, R\ and R2 to indicate variables over Rule identifiers. In case the eval- 
uation of PolicySet, the input P is for PolicySet identifier, R, Ri and i? 2 are for Policy 
(or PolicySet) identifiers. 

Permit-Overrides Transformation. Let 7T po be a LP obtained by permit-overrides 
combining algorithm transformation (see (8) for the permit-overrides combining algo- 
rithm semantics). 77 po contains: 

algo(po, P, p) <— decision.of (P, R, p). 

algo(po, P, i dp ) <- not algo(po, P, p), decision.of (P, R, i dp ). 

algo(po, P, idp) <— not algo(po, P, p), decision_of(P, Ri, i p ), decision_of (P, R2, d). 
algo(po, P, idp) not algo(po, P, p), decision_of (P, Pi, i p ), decision_of (P, P2, id). 
algo(po, P, i p ) not algo(po, P, p), not algo(po, P, id p ), decision.of (P, R, i p ). 
algo(po, P, d) <— not algo(po, P, p), not algo(po, P, idp), not algo(po, P, i p ), 

decision.of (P, R, d). 
algo(po, P, id) <— not algo(po, P, p), not algo(po, P, id P ), not algo(po, P, i p ), 

not algo(po, P, d), decision_of (P, P, id). 
algo(po, P, na) <— not algo(po, P, p), not algo(po, P, idp), not algo(po, P, i p ), 

not algo(po, P, d), not algo(po, P, id). 



First-Applicable Transformation. Let 77f a be a logic program obtained by first-applicable 
combining algorithm transformation (see (9) for the first-applicable combining algo- 
rithm semantics). For each Policy (or PolicySet) which uses this combining algorithm, 

Vid = [T, {Hi,..., Tin), fa], n Vid contains: 

algo(fa,P w ,P) <- 6ec\s\on.of{Va,Hi,V),V ± na. 

algo(fa,P w ,P) <- decision_of(P I£i ,^i,na),decision.of(P (i ,^2,P),P ± na. 

algo(fa,Pid,£) <- decision_of(P w ,7^i, na), . . . , decision_of(7 7 i d, TZ„-i, na), decision_of(P i(i , R n , E). 



Only-One-Applicable Transformation. Let i7 ooa be a logic program obtained by only- 
one-applicable combining algorithm transformation (see (10) for the only-one-applicable 



combining algorithm semantics). 77 ooa contains: 
algo(ooa, P, i dp ) *r- decision.of (P, R, i dp ). 

algo(ooa, P, idp) <— decision_of(P, Pi, id), decision_of(P, R2, i p ), Ri 7^ Ri- 
algo(ooa, P, idp) <— decision_of(P, Ri, id), decision.of (P, R2, p), Pi 7^ i?2- 
algo(ooa, P, idp) <— decision_of(P, Pi, d), decision_of(P, R2, i p ), Pi 7^ P2- 
algo(ooa, P, idp) decision_of(P, Pi, d), decision.of (P, P2, p), Pi 7^ P2- 
algo(ooa, P, i p ) 4- not algo(ooa, P, i dp ), decision_of (P, P, i p ). 

algo(ooa, P, ip) not algo(ooa, P, i dp ), decision_of (P, Pi, p), decision_of (P, P2, p), Pi 7^ P2- 
algo(ooa, P, id) not algo(ooa, P, i dp ), decision_of (P, P, i d ). 

algo(ooa, P, i d ) not algo(ooa, P, id p ), decision_of (P, Pi, d), decision_of (P, P2, d), Pi 7^ P2. 
algo(ooa, P, p) «— not algo(ooa, P, i dp ), not (00a, P, id), not (00a, P, i p ), decision.of (P, P, p). 
algo(ooa, P, d) 4— not algo(ooa, P, i dp ), not (00a, P, i d ), not (00a, P, i p ), decision.of (P, P, d). 
algo(ooa, P, na) <— not algo(ooa, P, i dp ), not (00a, P, i d ), not (00a, P, i p ), 
not decision_of (P, P, d), not decision_of (P, P, p). 



4 Relation between XACML-ASP and XACML 3.0 Semantics 

In this section we discuss the relationship between the ASP semantics and XACML 3.0 
semantics. First, we recall the semantics of logic programs based on their answer sets. 
Then, we show that the program obtained from transforming XACML components into 
LPs (T^cacml) merges with the query program (77 g) and has a unique answer set that the 
answer set corresponds to the semantics of XACML 3.0. 

4.1 ASP Semantics 

The declarative semantics of a logic program is given by a model-theoretic semantics 
of formulae in the underlying language. The formal definition of answer set semantics 
can be found in much literature such as [3,6]. 

The answer set semantics of logic program 77 assigns to 77 a collection of answer 
sets - interpretations of ground(II). An interpretation 7 of ground(II) is an answer set 
for 77 if 7 is minimal (w.r.t. set inclusion) among the interpretations satisfying the rules 
of 

77 7 = {A <- B u . . .,B m \ A<— Bi,. . . ,73 m ,not B m+ i,...,not B n e 77 and 

7(not B m+ i, . . . , not B n ) — true} 

A logic program can have a single unique answer set, many or no answer set(s). There- 
fore, we show that programs with a particular characteristic are guaranteed to have a 
unique answer set. 

Acyclic Programs. We say that a program is acyclic when there is no cycle in the 
program.The acyclicity in the program is guaranteed by the existence of a certain fixed 
assignment of natural numbers to atoms that is called a level mapping. 
A level mapping for a program 77 is a function 

I : B n -> N 

where N is the set of natural numbers and Bn is the Herbrand base for 77. We extend 
the definition of level mapping to a mapping from ground literals to natural numbers by 
setting / (not A) = 1(A). 



Let 77 be a logic program and I be a level mapping for 77. 77 is acyclic with respect 
to I if for every clause A <— B\, . . . , B m , not 73 m+1 , . . . , not B n in ground(II) we 
find 

ZL4) > Z(73i) for all i with 1 < i < n 

77 is acyclic if it is acyclic with respect to some degree of level mapping. Acyclic 
programs are guaranteed to have a unique answer set [3]. 

4.2 XACML Semantics Based On ASP Semantics 

We can see from Sect. 3 that all of the XACML 3.0 transformation programs are acyclic. 
Thus, it is guaranteed that 7T XACML has a unique answer set. 

Proposition 1. Let H mcML be a program obtained from XACML 3.0 element transform- 
ations and let IJq be a program transformation of Request Q. Let I be the answer set 
of LIxacml U LTq. Then the following equation holds 

\X\{Q) = Vijf^\{X,V)eI 

where X is an XACML component. 

Note: We can see that there is no cycle in all of the program transformations. Thus, 
there is a guarantee that the answer set of 77 XACML U 77g is unique. The transformation of 
each component into a logic program is based on exactly the definition of its XACML 
evaluation. The proof of this proposition can be seen in the extended version in [10]. 

5 Analysis XACML Policies Using Answer Set Programming 

In this section we show how to use ASP for analysing access control security properties 
through 77 XACML . In most cases, ASP solver can solve combinatorial problems efficiently. 
There are several combinatorial problems in analysis access control policies, e.g., gap- 
free property and conflict-free property [14,5]. In this section we look at gap-free ana- 
lysis since in XACML 3.0 conflicts never occur. 5 We also present a mechanism for the 
verification of security properties against a set of access control policies. 

5.1 Query Generator 

In order to analyse access control property, sometimes we need to analyse all possible 
queries that might occur. We use cardinality constraint (see [15,16]) to generate all 
possible values restored in the database for each attribute. For example, we have the 
following generator: 

^generator • 

(1) l{subject(X) : subject.db(X)}! <- T. 

(2) l{action(X) : action.db(X)}! <- T. 

(3) l{resource(X) : resource-db(X)}l T. 

(4) l{environment(X) : environment -db(X)}l <s— T. 

The first line of the encoding means that we only consider one and only one subject 
attribute value obtained from the subject database. The rest of the encoding means the 
same as the subject attribute. 

5 A conflict decision never occurs when we strictly use the standard combining algorithm 
defined in XACML 3.0, since every combining algorithm always return one value. 



5.2 Gap-Free Analysis 



A set of policies is gap-free if there is no access request for which there is an absence 
of decision. XACML defines that there is one PolicySet as the root of a set of policies. 
Hence, we say that there is a gap whenever we can find a request that makes the se- 
mantics of the VS roo t is assigned to na. We force ASP solver to find the gap by the 
following encoding. 

gap <— va I {VS roo t , n a ) . 
_L <— not gap. 

In order to make sure that a set of policies is gap-free we should generate all possible 
requests and test whether at least one request is not captured by the set of policies. Thus, 
the answer sets of program V = II XACML U n generator U n gap are witnesses that the set 
of policies encoded in II XACML is incomplete. When there is no model that satisfies the 
program then we are sure that the set of policies captures all of possible cases. 



5.3 Property Analysis 

The problem of verifying a security property ^ on XACML policies is not only to show 
that the property <P holds on II XA cul but also that we want to see the witnesses whenever 
the property <P does not hold in order to help the policy developer refine the policies. 
Thus, we can see this problem as finding models for II XACML U n generator U II-„p. The 
founded model is the witness that the XACML policies cannot satisfy the property <P. 

Example 2. Suppose we have a security property: 

<P: An anonymous person cannot read any patient records. 

Thus, the negation of property <P is as follows 

An anonymous person can read any patient records. 

We define that anonymous persons are those who are neither patients, nor guardians, 
nor doctors, nor nurses. We encode P-,<p as follows 

(1) anonymous 4— not subject(patient), not subject(guardian), 

not subject(doctor), not subject(nurse). 

(2) _L 4— not anonymous. 

(3) action(read) T. 

(4) resource(patientjrecord) <— T. 

(5) _L «- not val(P5 root , p). 

We list all of the requirements (lines 1 - 4). We force the program to find an anonymous 
person (line 2). Later we force that the returned decision should be to permit (line 5). 
When the program II XACML U n generator U II-,<p returns models, we conclude that the 
property <P does not hold and the returned models are the flaws in the policies. On the 
other hand, we conclude that the property $ is satisfied if no model is found. 



6 Related Work 



There are some approaches to defining AC policies in LPs, such as Barker et al. in [4] 
use constraint logic program to define role-based access control, Jajodia et al. in [7] 
using FAM / CAM program - a logical language that uses a fixed set of predicates. How- 
ever, their approaches are based on their own access control policy language whereas 
our approach is to define a well-known access control policy language, XACML. 

Our approach is inspired by the work of Ahn et al. [1,2]. There are three main 
differences between our approach and the work of Ahn et al. 

First, while they consider XACML version 2.0 [8], we address the newer version, 
XACML 3.0. The main difference between XACML 3.0 and XACML 2.0 is the treat- 
ment of indeterminate values. As a consequence, the combining algorithms in XACML 
3.0 are more complex than the ones in XACML 2.0. XACML 2.0 only has a single 
indeterminate value while XACML 3.0 distinguishes between the following three types 
of indeterminate values: 

i. Indeterminate permit (i p ) - an indeterminate value arising from a policy which 
could have been evaluated to permit but not deny; 

ii. Indeterminate deny (id) - an indeterminate value arising from a policy which could 
have been evaluated to deny but not permit; 

iii. Indeterminate deny permit (id P ) - an indeterminate value arising from a policy 
which could have been evaluated as both deny and permit. 

Second, Ahn et al. produce a monolithic logic program that can be used for the ana- 
lysis of XACML policies while we take a more modular approach by first modelling an 
XACML PDP as a logic program and then using this encoding within a larger program 
for property analysis. While Ahn, et al. only emphasize the indeterminate value in the 
combining algorithms, our concern is "indeterminate" value in all aspect of XACML 
components, i.e., in Match, AnyOf, AllOf, Target, Condition, Rule, Policy and Poli- 
cySet components. Hence, we show that our main concern is to simulate the PDP as in 
XACML model. 

Finally, Ahn et al. translate the XACML specification directly into logic program- 
ming, so the ambiguities in the natural language specification of XACML are also re- 
flected in their encodings. To avoid this, we base our encodings on our formalisation of 
XACML from [9]. 

7 Conclusion and Future Work 

We have modelled the XACML Policy Decision Point in a declarative way using the 
ASP technique by transforming XACML 3.0 elements into logic programs. Our trans- 
formation of XACML 3.0 elements is directly based on XACML 3.0 semantics [11] and 
we have shown that the answer set of each program transformation is unique and that 
it agrees with the semantics of XACML 3.0. Moreover, we can help policy developers 
analyse their access control policies such as checking policies' completeness and verify- 
ing policy properties by inspecting the answer set of II XACML U n generat or U n configuraUon 
- the program obtained by transforming XACML 3.0 elements into logic programs 
joined with a query generator program and a configuration program. 

For future work, we can extend our work to handle role-based access control in 
XACML 3.0 [13] and to handle delegation in XACML 3.0 [12]. Also, we can extend 
our work for checking reachability of policies. A policy is reachable if we can find a 



request such that this policy is applicable. Thus, by removing unreachable policies we 
will not change the behaviour of the whole set of policies. 
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A ASP Semantics 

A.l Interpretations and Models 

The Herbrand Universe Uc for a language C is the set of all ground terms that can 
be formed from the constants and function symbols appearing in C. The Herbrand 
base Be for a language C is the set of all ground atoms that can be formed by using 



predicate symbols from C and ground terms from Uc as arguments. By Bn we denote 
the Herbrand base for language underlying the program 77. When the context is clear, 
we are safe to omit 77. 

An interpretation 7 of a program 77 is a mapping from the Herbrand base Bn to the 
set of truth values: true and false ({ T, _L }). All atoms belong to interpretation 7 are 
mapped to T. All atoms which does not occur in 7 are mapped to _L. 

The truth value of arbitrary formulae under some interpretation can be determined 
from a truth table as usual (see Table 2). 

Table 2. Truth Values for Formulae 



<p 


<> 


not cf> 


<t> A ip 


4> «— V> 


T 


T 


± 


T 


T 


T 


_L 


± 


_L 


T 


_L 


T 


T 


_L 


_L 


_L 


_L 


T 


_L 


T 



The logical value of ground formulae can be derived from Table 2 in the usual way. 
A formula <f> is then true under interpretation I, denoted by I((f>) = T, if all its ground 
instances are true in 7; it is false under interpretation 7, denoted by 7(0) = _L, if there 
is a ground instance of <p that is false in 7. 

Let 7 be an interpretation. 7 satisfies formula <fi if I(4>) = T. For a program 77, we 
say 7 satisfies of 77 if 7 satisfies for every rule in 77. An interpretation 7 is a model of 
formula if 7 satisfies (f>. 

Let I be a collection of interpretations. Then an interpretation 7 is I is called min- 
imal in I if and only if there is no interpretation J in I such that J C 7. An interpret- 
ation 7 is called least in I if and only if 7 C J for any interpretation J in I. A model 
M of a program 77 is called minimal (respectively least) if it is minimal (respectively 
least) among all models of 77. 

A.2 Answer Set 

An interpretation 7 of ground(II) is an answer set for 77 if 7 is minimal (w.r.t. set 
inclusion) among the interpretations satisfying the rules of 

n 1 = {A <- B u . . . , B m \ A <- B u . . . , B m , not B m+1 ,. . . , not B n e 77 and 

/(not B m+1 , not B n ) = T} 

B Proofs 

Lemma 1. Let M be an answer set of program LJ and let H Body be a rule in 77. 
Then, 77 e M if M {Body) = T. 

Proof. Let Body — Bi, . . . , B m , not B m+ \, . . . , not B n . To show the lemma holds, 
suppose M (B ody) = T. Then we find that {Bi,. . . 7 B m }C MandMn{ B m+1 , 



0. Since M is a minimal model of 77 M then we find that 77 <- B\, . . . , B n is in 77 M . 
Since { B u . . . , B m } C M and M is a model then M(H) = T. Thus H e M. □ 

The Lemma 1 only ensures that if the body of a rule is true under an answer set 
M then the head is also in M. However, in general, if the head of a rule is in a answer 
set M then there is no guarantee that the body is always true under M. For example, 
suppose we have a program { p T., p ^— q. }. In this example the only answer set is 
M = {p}. We can see that p is in M. However, q is not in M, thus, M(q) is false. 

Lemma 2. Let M be an answer set of program 77 and let 77 be in M. Then, there is a 
rule in LJ where 77 as the head. 

Proof. Suppose that M is an answer set of program 77. Then we find that M is a 
minimal model of 77 M . Suppose 77 e M and there is no rule in 77 M such that 77 as 
the head. Then, we find that M' = Mj { 77 } and M' is a model of 77 M . Since M is a 
minimal model of 77 M but we have M 1 C M. Therefore we find a contradiction. Thus, 
there should be a rule in 77 M such that 77 as the head. Hence, there is a rule in 77 such 
that 77 as the head. □ 

Lemma 3. Let M be an answer set of program 77 and let 77 be in M. Then, there exists 
a rule where 77 as the head and the body is true under M. 

Proof. Suppose that M is an answer set of program 77. Since 77 is in M thus, by 
Lemma 2, we find that there is a rule in 77 in a form 77 <— Body. Suppose that 
Ad (Body) T. Therefore, 77 <— Body is not in 77 M . Moreover, we can find an- 
other interpretation M' such that M / { 77 } and M' is also a model of 77 M . However, 
we know that M is a minimal model for 77 M but we have M' C M. Thus, there is a 
contradiction. □ 



We define some notation: 



XACML Components 


XACML Symbols 


LP Symbols 


Match 


M 


77^ =77^ 


AllOf 


A = AM 


n A = u n Mz u n A 


AnyOf 


£ = VA 


n £ = u T7- 4 ' u n £ 


Target 


T = A£i 


n T = |J 77 £ * U 77 r 


Condition 


C 


77 c = 77 c 


Rule 


11= [E,T,C] 


n n = n T u 77 c u n K 


Policy 


V= [T, (TZi,..., ^ n ),ComblD] 


n v = |J 77 K * U 77 r U 77 ComblD u n T 


PolicySet 


TS=[T, (Pi,...,P„),ComblD] 


n v = u n v * u 77 r u i7 ComblD u n vs 


Combining Algorithm 


Combl D is either po or faor ooa 


n Comb,D = \jn 7li un Pi n ComblD 



Match Evaluation. 

Lemma 4. Let LI = LJq U 77 M be a program and M be an answer set of II. Then, 

\M\{Q) = m ifandonlyif val( J M,m)eM. 

Proof. (=>) Suppose that {Mj = m holds. Then, as defined in (1), M £ Q and 
error(A / l) ^ Q. Based on the transformation of Request element, we find out that 
M. <r- T is in 77 and there is no rule where error(A / () as the head in 77. Since M 
is the minimal model of 77, we get that M e M and error(A / l) ^ M. Thus we get that 



M (M A not error (M)) = T. Therefore, by Lemma, 1 va\(M, m) G M. 
(<=) Suppose that va\(A4, m) G M. By Lemma 3 we get that there is a rule where 
val(.A4, m) as the head and the body is true under M. Since there is only one rule where 
va\(A4, m) as the head in 77, i.e., va\(A4, m) <— Ai, not error(A^), then, we find that 
M(M A not error(A^)) = T. Therefore, M e M and error(A4) M. Since the only 
possible to have Ai true in this case is only through the Request transformation, we get 
that Ai G Q and error(.M) £ Q. Therefore, we obtain |jM](Q) = m. □ 

Lemma 5. Let II = LJq U 77 M be a program and M be an answer set of II. Then, 

\M\{Q) = nm ifandonlyif va\(A4, nm) G M . 

Proof. (=>) Suppose that \M\ = nm. Then, as defined in (1) we have that Ai £ Q and 
error(A / ( ) g" Q. Based on the transformation of Request, we find out that there is no rule 
where Ai and error(A / () as the heads. Since M is the minimal model of 77, we get that 
Ai and error(A / () are not in M. Thus, we get that M(not M A not error(A^)) = T. 
Therefore, by Lemma 1, val(.A4, nm) G M. 

(<=) Suppose that va\(A4, nm) G M where Ai — Ai. Based on Lemma 3 we get 
that there is a rule where va\(A4, nm) as the head and the body is true under M. 
Since there is only one rule where val(A4, nm) as the head in 77, i.e., val(A1, nm) <— 
not Ai, not error(M), then, we find that M(not Ai A not error(M)) = T. There- 
fore, Ai £ M and error(A4) ^ M. Since the only possible of declaring facts in this case 
is only through the Request transformation, we get that Ai £ Q and error(A4) Q. 
Therefore, we obtain JA^J(Q) = nm. □ 

Lemma 6. Let II = U q U 77^ be a program and M be an answer set of II. Then, 

\M\(Q) = idt if and only if val(A4, idt) G M . 

Proof. (=>) Suppose that \M\ (Q) = idt holds where M = M. Then, as defined in (1), 
we have that error(TW) G Q. Based on the transformation of Request element, we find 
out that error(A^) T is in 77. Since M is the minimal model of 77, then, we get that 
error(A^) G M. Thus, we get that A7(error(Al)) = T. Therefore, val(A1, idt) G M 
since M is the minimal model of 77. 

(<=) Suppose that va\(Ai, idt) G M. Based on Lemma 3 we get that there is a rule 
where va\(A4, idt) as the head and the body is true under M. Since there is only 
one rule in 77 with val(A^, idt) in the head, i.e., va\(A4, idt) <— error(A'J), then we 
find that M(error(A^)) = T. Therefore, error(Al) G M. Since the only possible to 
have error(A^) true in this case is only through the Request transformation, we get that 
error(A'l) G Q. Therefore, we obtain [A4](Q) = idt. □ 

Proposition 2. Let II = II q U 77 M be a program and M be an answer set of II. Then, 

IM\{Q) = V ifandonlyif va\{M,V) G M . 

Proof. It follows from Lemma 4, Lemma 5 and Lemma 6 since the value of V only has 
three possibilities, i.e., { m, nm, idt }. □ 

AllOf Evaluation. 

Lemma 7. Let II = II q U 77 A be a program and M be an answer set of II. Then, 



IA}(Q) = m 



if and only if 



\/a\(A, m) G M 



Proof. Let A = A"=i Mi. 

(=>) Suppose that [^](Q) = m holds. Then, as defined in (2), Mi : \M l \{Q) = 
m, 1 < i < n. Based on Prop. 2, V, : val(A^i,m) E M, 1 < i < n. Therefore, 
M(val(A4i, m) A ... A va\(M n , m)) = T. Hence, by Lemma 1, val(.4, m) G M. 

Suppose that va\(A, m) e M. Based on Lemma 3, there is a rule where val(.4, m) 
as the head and the body is true under M. Since there is only one rule in 77 with 
val(.4, m) in the head, i.e., val(.4, m) val(.Mi, m), . . . , val(_M„, m), we find that 
M(val(Xi, m) A ... A val(X„, m)) = T. Therefore, val(Xi, m) E M, 1 < i < n. 
Based on Prop. 2, |A4i](Q) = m, 1 < i < n. Therefore, based on (2), we obtain 
M(Q) = m. ' " □ 

Lemma 8. Let II — U g U T7" 4 fee a program and M be an answer set of II. Then, 

{A\{Q) = nm if and only if va\(A, nm) G M . 

Proo/ Let A = Ar=i -W- 

(=>) Suppose that ]/4]](2) = nm holds. Then, as defined in (2) we have that 3i : 
[A^i](Q) = nm. Based on Prop. 2 we get that 3i : va\(Mi, nm) G M. Thus, we get 
that3i : M(va\(M l ),nm) = T. Therefore, by Lemma 1, val(A1,nm) G M. 
(4=) Suppose that val(y4, nm) G M. Based on Lemma 3 we get that there is a rule where 
val(„4, nm) as the head and the body is true under M. Based on AllOf transformation, 
3i : M(va\(Mt), nm) = T. Therefore, 3i : va\(Mi, nm) G M. Based on Prop. 2 we 
get that 3i : [JWi](Q) = nm. Therefore, based on (2), we obtain IA}(Q) = nm. □ 

Lemma 9. Let II — II q U II a be a program and M be an answer set of II. Then, 

\A\{Q) = idt if and only if val(yLjdt) G M . 

Proof. {=>) Suppose that \A\{Q) = idt. Then, as defined in (2), |4](Q) ^ m and 
I«4](Q) nm. Thus, by Lemma 7 and Lemma 8, va\(A, m) M and val(.4, nm) ^ 
M. Hence, M(not va\(A,m) A not \/a\(A, nm)) = T. Therefore, by Lemma 1, 
va\(A, idt) G M. 

(4=) Suppose that va \(A, idt) G M. Based on Lemma 3, there is a rule where val(_4, idt) 
as the head and the body is true under M. There is only one rule where val(_4, idt) as the 
head in II, i.e., val(.4, idt) <— not val(_4, m), not va\(A, nm). Hence, val(.4, m) g' M 
and val(.4, nm) g M. Based on Lemma 7 and Lemma 8 we get that lAj (Q) ^ m and 
lAj(Q) ^ nm. Therefore, based on (2), we obtain lAj(Q) = idt. □ 

Proposition 3. Let H = II q U 27 be a program obtained by merging Request trans- 
formation program II q and AllOf A transformations program with all of its compon- 
ents II A . Let M be an answer set of II. Then, 

{A\(Q) = V if and only if va\(A, V) G M . 

Proof. It follows from Lemma 7, Lemma 8 and Lemma 9 since the value of V only has 
three possibilities, i.e., { m, nm, idt }. □ 

AnyOf Evaluation. 

Lemma 10. Let II = IIq U II s be a program and M be an answer set of II. Then, 



[£](Q) = m 



if and only if 



val(£,m) G M 



Proof. Let £ = V" =1 A 

{=>) Suppose that {£ ](Q) = m holds. Then, as defined in (3), 3i : [A](Q) = m, 1 < 
i < n. Based on Prop. 3, 3 { : va\(A l: m) G M, 1 < i < n. Thus, 3i : M(val(A, m)) = 
T. Therefore, by Lemma 1, val(£ , m) G M. 

Suppose that val(£, m) G M. Based on Lemma 3, here is a rule where val(£ , m) 
as the head and the body is true under M. Based on AnyOf transformation, 3i : 
M(val(£;),m) = T. Therefore, 3i : val(£,,m) G M. Based on Prop. 3, 3i : [£j](Q) = 
m. Therefore, based on (3), we obtain [£J(<2) = m. □ 

Lemma 11. Let II = IIq U LT £ be a program and M be an answer set of II. Then, 

\£\{Q) = nm if and only if val(£,nm)eil7 . 

Proof. Let £ = V? =1 A 

(=>) Suppose that [£J(Q) = nm holds. Then, as defined in (3), Vi : [A](Q) = nm. 
Based on Prop. 3, Vi : val(A, nm) G M. Thus, M(val(>li, nm)A- • -Aval(A>, nm)) = 
T. Therefore, by Lemma 1, val(£, nm) G M. 

(<^=) Suppose that val(£, nm) G M. By Lemma 3, there is a rule where val(£, nm) as 
the head and the body is true under M. There is only one rule in 77 with val(£, m) in the 
head in 77, i.e., val(£, nm) <- val(.Ai, nm), . . . , va\(Ai, nm). Thus, M(val(„4i, nm) A 
... A va\(A n , nm)) = T. Therefore, va\(Ai, nm) G M, 1 < i < n. Based on Prop. 3, 
I-^i](Q) = nm ; 1 < i <n. Therefore, based on (3), we obtain |£](Q) = nm. □ 

Lemma 12. Let II = IIq U II s be a program and M be an answer set of II. Then, 

[£](Q) = idt ifandonlyif val(£, idt) G M . 

Proof. (=>) Suppose that [f](Q) = idt. Then, as defined in (3), [£](Q) 7^ m and 
1^1(2) 7^ nm - Thus, by Lemma 10 and Lemma 11, val(£, m) ^ M and va\(£, nm) ^ 
M. Hence, M(not val(£, m) A not val(£, nm)) = T. By Lemma 1, val(£, idt) G M. 
(<^=) Suppose that val(£, idt) G M. Based on Lemma 3, there is a rule where val(£, idt) 
as the head and the body is true under M. There is only one rule in 77 with val(£, idt) in 
the head, i.e., val(£, idt) not val(£, m), not val(£, nm). Hence, val(£, m) ^ M and 
val(£, nm) ^ M. Based onLemma lOand Lemma 11, [£J(<2) 7^ m and [£](Q) 7^ nm. 
Therefore, based on (3), we obtain \£\{Q) = idt. □ 

Proposition 4. Let 77 = 77g U 77 £ be a program obtained by merging Request trans- 
formation program IIq and Any Of £ transformations program with all of of its com- 
ponents II s . Let M be an answer set of II. Then, 

[£](Q) = V ifandonlyif val(£,V) G M . 

Proof. It follows from Lemma 10, Lemma 1 1 and Lemma 12 since the value of V only 
has three possibilities, i.e., { m, nm, idt }. □ 

Target Evaluation. 

Lemma 13. Let II = IIq U 77 r be a program and M be an answer set of II. Then, 



[71 (Q) = m 



if and only if 



val(T, m) e M 



Proof. Let T = A£=i £ - 

(=>) Suppose that [71(2) = m holds. Then, as defined in (4), we have that 

1. Vi : [£ t ](2) = m, 1 < i < n. Based on Prop. 4, V 4 : val(£, m) G M, 1 < i < n. 
Thus, M(val(£i, m) A. . .Aval(£„, m)) = T. Therefore, by Lemma 1, val(T, m) G 
M. 

2. T = null. Based on Target transformation we get that val(null,m) <- T. Thus, 
val(T, m) G M since M is the minimal model of 77. 

Suppose that val(T, m) G M. Based on Lemma 3, there is a clause where val(T, m) 
as the head and the body is true under M. 

1. T 7^ null. There is a rule where val(T, m) as the head, i.e., val(T, m) <— 
val(£i, m), . . . , val(£„, m). Then, we find that M(val(£i, m) A . . . Aval(£„, m)) = 
T. Therefore, val(£j, m) G M, 1 < i < n. Based on Prop. 4, |[£i](Q) = m, 1 < 
i < n. Therefore, based on (4), we obtain [71 (Q = m. 

2. T = null. Then, there is a rule in 77 where val(null, m) as the head, i.e., val(null, m) <— 
T. Thus, based on the definition (4), we obtain [71 (Q) = m. □ 

Lemma 14. Let II = IIq U 77 r be a program and M be an answer set of II. Then, 

[71(2) = nm ifandonlyif val(T,nm)eM. 

Proof. (=>) Suppose that [71 (Q) = nm holds. Then, as defined in (4), 3i : [&]](£>) = 
nm. Therefore, based on Prop. 4, 3i : val(£ j, nm) G M. Hence, 3i : M(va\(£i), nm) = 
T. Thus, by Lemma 1, val(£, nm) G M. 

(<=) Suppose that val(T, nm) G M. Based on Lemma 3, there is a clause where 
val(T, nm) as the head and the body is true under M. Based on AllOf transforma- 
tion, 3i : M(val(£j), nm) = T. Therefore, 3i : val(£j, nm) G M. Based on Prop. 4, 
3i : [£i](Q) = nm. Therefore, based on (4), we obtain [71(2) = nm. □ 

Lemma 15. Let II = IIq U 77 r be a program and M be an answer set of II. Then, 

[71(2) = idt ifandonlyif val(T, idt) G M . 

Proof. (=>) Suppose that [71(2) = idt. Then, as defined in (4), [71(2) ^ m and 
[71(g) ± nm. Thus, by Lemma 13 and Lemma 14, val(T, m) ^ M and val(T, nm) ^ 
M. Hence, M(not val(T, m) A not val(T, nm)) = T. Therefore, by Lemma 1, 
val(T, idt) G M. 

(<=) Suppose that va 1(7", idt) G M. Based on Lemma 3, there is a clause where val(T, idt) 
as the head and the body is true under M. There is only one rule in 77 with val(T, idt) 
in the head , i.e., val(T, idt) <— not val(T, m), not val(T, nm). Thus, val(T, m) 
M and val(T, nm) ^ M. Based on Lemma 13 and Lemma 14, [7](2) ^ m and 
[71(2) ^ nm. Therefore, based on (4) we obtain [71(2) = idt. □ 

Proposition 5. Let II = IIq U 77 ^~ be a program obtained by merging Request trans- 
formation program IIq and Target T transformations program with all of of its com- 
ponents 77 r . Let M be an answer set of II. Then, 



m(Q) = v 



if and only if 



val(T,V) G M 



Proof. It follows from Lemma 13, Lemma 14 and Lemma 15 since the value of V only 
has three possibilities, i.e., { m, nm, idt }. □ 



Condition Evaluation. 

Proposition 6. Let 77 = 77 q U 77^ be a program obtained from merging Request trans- 
formation program LJq and Condition transformation program lie an d let M be an 
answer set of 77. Then, 

[C](Q) = V ifandonlyif val(C,V)eM. 

Proof. It follows from the equation (5) that the Condition evaluation based on the value 
of eval function, the same case in the Condition program transformation. □ 

Rule Evaluation. 

Lemma 16. Let II ~ Tl q U 77 k be a program obtained by merging Request transform- 
ation program U q and Rule TZ transformations program with all of of its components 
II n . Let M be an answer set of II. Then, 

[ft](Q) = E if and only if val (ft, 75) E M 

where E is Rule 's effect, either p or d. 

Proof. (=>) Suppose that [ft](Q) = E holds. Then, as defined in (4), [71 (Q) = m 
and [CJ(Q = t). Based on Prop. 7 and Prop. 6, val(T, m) G M and val(C,t) G M. 
Thus, M(val(T, m) A val(C, t)) = T. Therefore, by Lemma 1, val (ft, 75) E M . 
(<=) Suppose that val (TZ, E) E M. Based on Lemma 3, there is a clause where \ia\(TZ, E) 
as the head and the body is true under M. There is only one rule in 77 with val (TZ, E) 
in the head, i.e., va\(TZ, m) <— val(T, m), val(C, t). Then, we find that M(val(T, m) A 
val(C,t)) = T. Therefore, val(T, m) E M and val(C,t) G M. Based on Prop. 5 and 
Prop. 6, [71 (Q) = m and [C](Q) = t. Therefore, based on (6) we obtain pZj(Q) = E. 

□ 

Lemma 17. Let II = 77 S U77 TC be a program obtained by merging Request transform- 
ation program II q and Rule TZ transformations program with all of of its components 
II n . Let M be an answer set of II. Then, 

pl\(Q) = na ifandonlyif val (ft, na) G M . 

Proof. (=>) Suppose that [ft](Q) = na holds. Then, as defined in (6), we have that 

1. [71 (Q) = m and [C](Q) = f. Based on Prop. 5 and Prop. 6, val (7", m) G M 
and val(C, f) G M. Thus, M(val(7", m) A val(C, f)) = T. Therefore, by Lemma 1, 
val(ft.na) G M. 

2. [71 (Q) = nm. Based on Prop. 5, val(T, nm) G M. Thus, M(val(T, nm)) = T. 
Therefore, by Lemma 1, val(ft, na) G M. 

(<=) Suppose that val (ft, na) G M. Based on Lemma 3, there is a clause in 77 where 
val(ft, na) as the head and the body is true under M. There are rules in 77 where 
val(ft, na) as the head, i.e., 



na) -s— val(7~, m), val(C, f). 
Then, we find that M(val(T, m) A val(C, f)) = T. Therefore, val(T, m) G M and 
val(C,f) G M . Based on Prop. 5 and Prop. 6, [71 (Q) = m and [C](Q) = f. 
Therefore, based on (6), we obtain [7£](Q = na. 
2. val(7£., na) •<— val(T, nm). 

Then, we find that M(val(7", nm)) = T. Therefore, val(7~, nm) e M. Based on 
Prop. 5, [71 (Q) = nm. Therefore, based on (6), we obtain \TZ}{Q = na. □ 

Lemma 18. Let II = TIq U LJ n be a program and M be an answer set of II. Then, 

VmQ) = ±e if and only if va\{TZ,i E ) G M 

where E is Rule 's effect, either p or d. 

Proof. (=>) Suppose that plj(Q) = i E . Then, as defined in (6), pZj(Q) ^ E and 
M(Q) 7^ na. By Lemma 16 and Lemma 17, val(ft, E) M and val(fc, na) g M. 
Hence, M(not val(7£, E) A not val(7£, na)) = T. Thus, by Lemma 1, val(7£, i E ) G 
M. 

(<=) Suppose that val(7£, idt) G M. Based on Lemma 3, there is a clause where 
val(7£, i^) as the head and the body is true under M. There is only one rule in 77 
with val(7£, i E ) in the head in, i.e., val(7£, i^) not val(7?., E), not val(7\L, na). 
Therefore, M(not val(fc,E) A not val(7£,na)) = T. Thus,val(7Z, E) £ M and 
val(7Z, na) £ M. Based on Lemma 16 and Lemma 17, [ft](Q) 7^ Eand [7e](Q) 7^ na. 
Hence, based on (6) we obtain, [7£J (<2) = i E . □ 

Proposition 7. Lef II = TIq U 77 k be a program obtained by merging Request trans- 
formation program TIq and Rule TZ transformations program with all of of its compon- 
ents II n . Let M be an answer set of LI. Then, 

= V if and only if val(ft, V) G M . 

Proof. It follows from Lemma 16, Lemma 17 and Lemma 18 since the value of V only 
has five possibilities, i.e., { p, d, id, i p , na }. □ 

Combining Algorithm: Permit-Overrides. 

Lemma 19. Let 77 = 77 Q U 77 po U n v be a program obtained by merging Request 
transformation program 77 q, permit-overrides combining algorithm transformation pro- 
gram 77 po and Policy V transformation program with its components LT V . Let M be an 
answer set of II. Then, 

(J)(R) = p if and only if algo(po,7>, p) G M 

po 

where R = ([7£i](Q), . . . , [7?.„J(Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that © po (R) = p holds. Then, as defined in (8), 3i : plil(Q) = 
p where TZi is a Rule in the sequence inside Policy V . Based on Prop. 7, va\(TZi, p) G 
M. Based on the Policy transformation, there is a rule in 77 decision_of (V , TZi, p) 
val(7£j, p). Therefore, by Lemma 1, decision_of(7', TZi, p) £ M. Thus, by Lemma 1, 



algo(po,7>,p) G M. 

Suppose that algo(po, V, p) G M. Based on Lemma 3, there is a rule where 
algo^o,? 7 , p) as the head and the body is true under M. There is only one rule in 
77 with algo(po, V, p) as the head, i.e., algo(po,'P, p) decision_of (V, TZ, p). Then, 
M(decision_of (V, TZ, p)) = T. Therefore, decision_of('P, TZ, p) G M. Based on Lemma 
3, there is a rule where decision_of (V, TZ, p) as the head and the body is true un- 
der M. There is only one rule in 77, i.e., decision_of (V, TZ, p) «— va\(TZ, p). Then, 
M(va\(TZ,p)) = T. Therefore, val(7£, p) G M. Based on Prop. 7, [7£](Q) = p 
and TZ belongs to the sequence inside Policy V. Therefore, based on (8), we obtain 

P o(R) = p ' □ 

Lemma 20. Let JJ = JJq U 77 po U LJ V be a program obtained by merging Request 
transformation program 77 q, permit-overrides combining algorithm transformation pro- 
gram 77 po and Policy V transformation program with its components JJ V . Let M be an 
answer set of JJ . Then, 

= id P ifandonlyif algo(po, V, id P ) G M 

po 

where R = ([[7£i]](Q), . . . , [7?.„](Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that © po (R) = id P holds. Then, as defined in (8) we have that 

1. Mi : pZii(Q) ^ p and 3j : {IZjKQ) = i dp where IZi and TZj are Rule in 
the sequence inside Policy V. Based on Prop. 7, Mi : va\(TZi, p) G - M and 3j : 
\/a\(lZj, idp) G M. Based on Lemma 19, algo(po, V, p) G - M since if it is in M , 
there exists a Rule TZ in the Policy T'sequence such that J72.J (Q) = p. Based on the 
Policy transformation, there is a rule decision_of ("P, TZj, id p ) va\(TZj, id p ). By 
Lemma 1, decision_of(7',7?. :) , idp) G M. Thus, by Lemma 1, algo(po, V, id P ) G M. 

2. Vi : pZi}(Q) ? p and 3j : pZ^Q) = i p and 3f : [ft r J(Q) - d where 
TZi, TZj and 7£j' are Rules in the sequence inside Policy V. Based on Prop. 7, 
Vi : val(^, p) g M and 3j : val(7^, i p ) G M and 3j : va\(Kj>,d) G M. Based 
on Lemma 19, algo(po, V , p) G - M since if it is in M , there exists a Rule TZ 
in the Policy T'sequence such that [7£](Q) = p. Based on the Policy transform- 
ation, there are rules in JJ in the form decision_of (T 5 , TZj, idp) <r- va\(1Zj, i p ) and 
decision_of(7 :> , TZj, i p ) va I (Tfy, d). Thus, by Lemma 1, decision.of (V, TZj, i p ) G 
M and decision_of (P, TZj', d) G M. Hence, by Lemma 1, algo(po, V, id P ) G M. 

3. Vz : I^](Q) ^ p and 3j : [7^1(2) = 'p and 3f : piyj{Q) = i d where 
7?-i, TZj and 7\Lj' are Rule in the sequence inside Policy V. Based on Prop. 7, 
Vi : val(7e i; p) £ M and 3j : val(^-,i p ) G M and 3j : val(7^v,i d ) e M. 
Based on Lemma 19, algo(po, V, p) G" M since if it is in M , there exists a Rule 
7?. in the Policy ^sequence such that [7?.]](Q) = p. Based on the Policy transform- 
ation there are rules in JJ in the form decision_of (V, TZ 3 ■, id P ) va\(TZj, i p and 
decision.of^, TZj, i p ) <— va\(TZj', id). Thus, by Lemma 1, decision_of (V, TZj, i p ) G 
M and decision_of (V, TZy , id) G M. Hence, by Lemma 1, algo(po, V, id P ) G M. 

{<=) Suppose that algo(po,7', id P ) G M. Based on Lemma 3 , there is a rule where 
algo(po, V, id P ) as the head and the body is true under M. There are rules in JJ where 
algo(po, V, idp) as the head, i.e., 



1. algo(po, ft, id p ) <— not algo(po, ft, p), decision_of(P, ft, id p ). 

Then, M(not algo(po, V , p)Adecision_of (ft, 1Z, id p )) = T. Thus, algo(po, ft, p) ^ 
M and decision_of(ft, ft, id p ) G M. Based on Lemma 19, © po (R) ^ P- Based 
on Lemma 3, there is a rule where decision_of (ft ft, idp) as the head and the 
body is true under M . There is only one rule in 77, i.e., decision_of (ft 1Z, id p ) <— 
val(ft, idp). Then, M(val(ft, id p )) = T. Therefore, val(ft, i p ) G M. As defined in 
(8), Vi : pZiHQ) ^ p since © po (R) ^ p . Based on Prop. 7, [ft](Q) = i dp 
and 1Z belongs to the sequence inside Policy P. Hence, based on (8), we obtain 

0po(R) = idp 

2. algo(po, ft, idp) ^— not algo(po, ft p), decision.of (ft, 1Z, i p ), decision.of (V, 7Z', d). 
Then, M(not algo(po, ft, p) A decision_of (ft, 7?., i p ) A decision_of (11', d)) = T. 
Thus, algo(po, V, p) £ M, decision_of (ft ft, i p ) G M and decision.of (ft, ft, d) G 
M. Based on Lemma 19, © po (R) ^ P- Based on Lemma 3, there is a rule where 
decision_of (ft, ft, i p ) as the head and the body is true under M. There is only one 
rule in 77, i.e., decision.of (ft, ft, i p ) <— val(ft, i p ). Then, M(val(ft, i p )) = T. 
Thus, val(ft, i p ) G M. Based on Lemma 3, there is a rule where decision.of (ft, ft, d) 
as the head and the body is true under M. There is only one rule in 77, i.e., 
decision_of(ft, ft, i p ) <- val(ft', d). Then, M(val(ft', d)) = T. Thus, val(ft', d) e 
M. Based on (8), Vi : [ft*]] (2) ^ P since © po ( R ) + P ■ Based on Pro P- 7 ' 
[ft](Q) = i P and [ft'](Q) = d and ft, ft' belongs to the sequence inside Policy 
ft. Therefore, based on (8) we obtain © po (R) = idp 

3. algo(po, V, idp) <— not algo(po, ft, p), decision.of (ft, ft, i p ), decision.of (ft, ft', id). 
Then, M(not algo(po,P, p) A decision_of(ft, ft, i p ) A decision_of(ft', i d )) = T. 
Thus, algo(po, ft, p) ^ M, decision_of (V, 1Z, i p ) G M and decision_of(ft, ft, id) G 
M. Based on Lemma 19, © po (R) ^ p since if © po (R) = p. Based on Lemma 
3, there is a rule where decision_of (ft, ft, i p ) as the head and the body is true under 
M. There is only one rule in 77, i.e., decision_of (ft, ft, i p ) val(ft, i p ). Then, 
M(val(ft, i p )) = T. Therefore, val(ft, i p ) G M. Based on Lemma 3, there is a rule 
where decision.of (ft, ft, id) as the head and the body is true under M. There is only 
one rule in 77, i.e., decision.of (ft, ft, i p ) <- val(ft', i d ). Then, M(val(ft', d)) = T. 
Therefore, val(ft', i d ) G M. Based on (8), Vi : [fti](Q) 7^ p since © po (R) 7^ p 

. Based on Prop. 7, [ft](Q) = i p and [ft'](Q) = i d and ft, ft' belongs to the se- 
quence inside Policy ft. Therefore, based on (8), we obtain © po (R) = idp □ 

Lemma 21. Let 77 = 77 Q U 77 po U n v be a program obtained by merging Request 
transformation program II q, permit-overrides combining algorithm transformation pro- 
gram 77 po and Policy ft transformation program with its components 77 p . Let M be an 
answer set of II. Then, 

^J^(R) = i p ifandonlyif algo(po, V, i p ) G M 

po 

where R = ([ftiK2)j • ■ • j [ftn](Q)) be a sequence of policy value where each 1Z{ is 
a Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that © po (R) = i p holds. Then, as defined in (8), 3i : [ftj](Q) = 
i p and Vj : [ftj](Q) 7^ i p => [ftj](Q) = na where ftj and IZj are Rule in the 
sequence inside Policy V. Based on Prop. 7, 3i : va\(1Zj , i p ) G M. Based on Lemma 19, 



algo(po, P, p) M since if it is in M , there exists a Rule TZ in the Policy Psequence 
such that |7£](Q) = P- Based on Lemma 20, algo(po, P, id P ) ^ M since if it is in M , 
there exists a Rule TZ in the Policy "Psequence such that |7£](Q) = idp, and |7£](Q) = 
d or id. Based on the Policy transformation, there is a rule decision.of (V, TZi, i p ) 
val(7^i, i p ). Therefore, by Lemma 1, decision_of (P, TZi, ip) G AT. Thus, by Lemma 1, 
algo(po,P,i p ) e M. 

(<=) Suppose that algo(po, V, i p ) G M. Based on Lemma 3, there is a rule where 
algo(po, V , i p ) as the head and the body is true under M. There is only a rule in 77, i.e., 
algo(po,P, idp) <- not algo(po,P, p), not algo(po, P, i dp ), decision.of (P, 7?., i dp ). 
Then, M(not algo(po,P,p) A not algo(po, P, id p ) A decision_of (P, 7Z, id P )) = T. 
Therefore, algo(po, P, p) £ M, algo(po, P, i dp ) ^ M and decision_of (P, TZ, i dp ) G M. 
Based on Lemma 19 and Lemma 20, © po (R) 7^ P and © po (R) 7^ id P - Based on 
Lemma 3, , there is a rule where decision_of(P, TZ, i p ) as the head and the body is true 
under M. There is only one rule in FT, i.e., decision.of (P, TZ, i p ) <— va\(TZ, i p ). Then, 
M(va\(lZ, i p )) = T. Therefore, va\(TZ, i p ) G M. Based on (8), Vi : pZij(Q) ^ p since 
© po (R) / p and Vz : [7£i](Q) 7^ (idp or d or id). Thus, the only possibilities of the 
value of fTZil is either i p or na. Based on Prop. 7, [7^1 (Q) = i p and TZ belongs to the 
sequence inside Policy P. Therefore, based on (8) we obtain © po (R) = i p □ 

Lemma 22. Let II = LJq U 77 po U 77 ^ be a program obtained by merging Request 
transformation program LJq, permit-overrides combining algorithm transformation pro- 
gram 77 po and Policy V transformation program with its components LJ V . Let M be an 
answer set of II. Then, 

0(R) = d if and only if algo(po,P,d) G M 

po 

where R = ([7£i](Q), . . . , pZ n \{Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy P. 

Proof (=>) Suppose that po (R) = d holds. Then, as defined in (8), 3i : [ft»](Q) = 
d and Vj : ptj\{Q) 7^ d => {TZ 3 \{Q) = (id or na) where TZ t and TZj are Rule 
in the sequence inside Policy P. Based on Prop. 7, 3i : va\(TZj,d) G M. Based on 
Lemma 19, algo(po, P, p) g 1 M since if it is in M , there exists a Rule TZ in the Policy 
Psequence such that [[7^](Q) = p. Based on Lemma 20, algo(po,P, idp) M since 
if it is in M , there exists a Rule TZ in the Policy Psequence such that [7£](Q) = id P - 
Based on Lemma 21, algo(po,P, i p ) ^ M since if it is in M , there exists a Rule 
TZ in the Policy Psequence such that [7£](Q) = i p . Based on the Policy transform- 
ation, there is a rule decision_of (P, TZi, d) val(7£j,d). Therefore, by Lemma 1, 
decision_of (P, TZi, d) G M. Thus, by Lemma 1, algo(po, P, id) G M. 
(<=) Suppose that algo(po,P,d) G M. Based on Lemma 3, there is a rule where 
algo(po, V, d) as the head and the body is true under M. There is only a rule in 77, 
i.e., algo(po, P, i dp ) <- not algo(po, V, p), not algo(po, P, i dp ), not algo(po, P, i p ), 
decision_of(P, TZ, d). Hence, we obtain M(not algo(po, V, p) A not algo(po, V, idp) A 
not algo(po, P, i p ) A decision_of (P, TZ, d)) = T. Therefore, algo(po,P, p) ^ M, 
algo(po,P, i dp ) ^ M, algo(po,P, i p ) g" M and decision.of (P, TZ, d) G M. Based on 
Lemma 19, © po (R) 7^ P since if © po (R) = p it will lead a contradiction. Based on 
Lemma 20, © po (R) 7^ idp since if © po (R) = idp it will lead a contradiction. Based 
on Lemma 21, © (R) 7^ i p since if © po (R) = i p it will lead a contradiction. Based 



on Lemma 3, there is a rule where decision_of (P, TZ, id) as the head and the body is true 
under M. There is only one rule in 77, i.e., decision_of (P, TZ, d) <— val(7?., d). Then, 
M(va\(R, d)) = T. Therefore, va\(TZ, d) G M. Based on (8), Mi : \TZ^(Q) ^ p since 
po (R) ? p . Based on (8), Mi : [7^J(Q) ^ idp- Based on (8), Vi : [7^](Q) ^ i p . 
Thus, the only possibilities of the value of \TZi\ is either d, id or na. Based on Prop. 7 , 
[^] (Q) = d and 7£ belongs to the sequence inside Policy P. Therefore, based on (8), 

e po (R) = d ' □ 

Lemma 23. Let II = 77 s U 77 po U n r be a program obtained by merging Request 
transformation program II q, permit-overrides combining algorithm transformation pro- 
gram 77 po and Policy V transformation program with its components II V . Let M be an 
answer set of II. Then, 



©(*) 



= id ifandonlyif algo(po, P, id) G M 



po 



where R = ([7£i](Q), . . . , [7£ n ](Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy P. 

Proof. (=>) Suppose that po (R) = i d holds. Then, as defined in (8) 3i : [K](Q) = 
id and Mj : pZji(Q) ^ d => [7£j](Q) = na where TZi and IZj are Rule in the se- 
quence inside Policy P. Based on Prop. 7 , 3i : val(7£j, d) G M. Based on Lemma 19, 
algo(po, V,p) $ M since if it is in M , there exists a Rule TZ in the Policy Psequence 
such that [7£]](Q) = p. Based on Lemma 20, algo(po,P, ij p ) M since if it is in 
M , there exists a Rule TZ in the Policy Psequence such that |7£](Q) = idp- Based on 
Lemma 21, algo(po, 7-*, i p ) ^ M since if it is in M , there exists a Rule TZ in the Policy 
Psequence such that [7£](Q) = i p - Based on Lemma 22, algo(po, P, d) M since if it 
is in M , there exists a Rule TZ in the Policy Psequence such that pZj (Q) = d. Based on 
the Policy transformation, there is a rule decision_of(P, TZi, id) val(7£j, id). Hence, 
by Lemma 1, decision.of (P, 7^, id) G M. Thus, by Lemma 1, algo(po, P, id) G M. 
(<S=) Suppose that algo(po,P,d) G M. Based on Lemma 3, there is a rule where 
algo(po, P, d) as the head and the body is true under M. There is only a rule in II, 
i.e., algo(po,P, d) <- not algo(po, P, p), not algo(po, P, id p ), not algo(po, P, i p ), 
not algo(po, P, d), decision_of (P, 7?., id). Hence, we find that M(not algo(po, P, p) A 
not algo(po, P, id p )Anot algo(po, P, i p )Anot algo(po, P, d)Adecision_of (P, TZ, id)) = 
T. Thus, algo(po, P, p) £ M, algo(po, P, i dp ) £ M, algo(po, P, i p ) ^ M, algo(po, P, d) 

A'/ and decision_of (P, 7?., id) G M. Based on Lemma 19, © po (R) ^ p since if 
po (R) = P it will lead a contradiction. Based on Lemma 20, © po (R) ^ idp since if 
po (R) = idp it will lead a contradiction. Based on Lemma 21, © po (R) i= i p since 
if © po (R) = i p it will lead a contradiction. Based on Lemma 22, © po (R) 7^ i p since 
if © po (R) = d it will lead a contradiction. Based on Lemma 3, there is a rule where 
decision_of (P, TZ, d) as the head and the body is true under M. There is only one rule 
in 77, i.e., decision_of (P, TZ, id) 4— val(7?., id). Then, we find that M(val(7£, id)) = T. 
Therefore, val(ft, i d ) G M. Based on (8), Mi : 7^ p since © po (R) ^ p . 

Based on eqrefeq:po, Mi : [fti](Q) 7^ i dp . Based on (8) , Vi : [7^](Q) 7^ i p and 
Vi : p£j](Q) 7^ d. Thus, the only possibilities of the value of fTZij is either id or na. 
Based on Prop. 7, I7£](Q) = id and TZ belongs to the sequence inside Policy P. There- 
fore, based on (8), © po (R) = i d □ 



Lemma 24. Let II = LTq U 77 po U U v be a program obtained by merging Request 
transformation program II g, permit-overrides combining algorithm transformation pro- 
gram n po and Policy V transformation program with its components LJ V . Let M be an 
answer set of II. Then, 

^J^(R) = na ifandonlyif algo(po, P, na) e M 

po 

where R = ([7£i](Q), ■ • ■ , [P-n](Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy P. 

Proof. Suppose that (J) po (R) = na holds. Then, as defined in (8) we have that 

P o( R ) + P- po (R) * idp, po (R) * i P . P o(R) + d, ^ po (R) + ^ Based 
on Lemma 19, algo(po, P, p) ^ M. Based on Lemma 20, algo(po, P, id P ) ^ M. Based 
on Lemma 21 , algo(po, P, i p ) ^ M. Based on Lemma 22 , algo(po, P, d) ^ M. Based 
on Lemma 23 , algo(po, P, id) ^ M. Thus, M(not algo(po, P, p)Anot algo(po, V, id P ) 
Anot algo(po, P, i p ) A not algo(po, P, d) A not algo(po, P, id)) = T Therefore, by 
Lemma 1, algo(po, P, na) <E M. 

(<*=) Suppose that algo(po,P, na) e M. Based on Lemma 3 , there is a rule where 
algo(po,P, na) as the head and the body is true under M. There is only a rule in 
77 where algo(po, V, na) as the head, i.e., algo(po, V, na) not algo(po, P, p), 
not algo(po, P, id p ), not algo(po, V, i p ), not algo(po, P, d), not algo(po, P, id). Then, 
M(not algo(po, P, p)Anot algo(po, V, id p )Anot algo(po, V, i p )Anot algo(po, V, d)A 
not algo(po,P,i d )) = T. Therefore, algo(po,P,p) £ M, algo(po, P, i dp ) £ M, 
algo(po, P , i p ) ^ A'/, algo(po, P, d) ^ M and algo(po, P, id) ^ M. Based on Lemma 
19,0 po (R) ^ p. Based on Lemma 20, po (R) ^ i dp . Based on Lemma21, po (R) ^ 
i p . Based on Lemma 22, © po (R) ^ i p . Based on Lemma 23, © po (R) i p . Therefore, 
based on (8), po (R) = na. ' □ 

Proposition 8. Let LJ = LTq U i7 po U II V be a program obtained by merging Re- 
quest transformation program IIq, permit-overrides combining algorithm transforma- 
tion program iT po and Policy P transformation program with its components II V . Let 
M be an answer set of II. Then, 

0(R) = V ifandonlyif algo(po,P,y) e M 

po 

where R = (TZi(Q), . . . ,TZ n (Q)) be a sequence of policy value where each TZi is a 
Rule in the sequence inside Policy P. 

Proof. It follows from Lemma 19, Lemma 20, Lemma 21, Lemma 22, Lemma 23 and 
Lemma 24 since the value of V only has six possibilities, i.e., { p, d, i p , i d , id P , na }. □ 

Combining Algorithm: First Applicable. 

Proposition 9. Let II = IIq U 27f a U II V be a program obtained by merging Request 
transformation program IIq, first-applicable combining algorithm transformation pro- 
gram iTf a and Policy V transformation program with its components II V . Let M be an 
answer set of LJ. Then, 



0(R) = V if and only if algo(fa, P, V) G M 

fa 



where R = ([7£i]](Q), • • • , [7?-n](Q)) be a sequence of policy value where each TZi is 
a Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that fa (R) = V holds. Then, as defined in (9), 3i : [7^](Q) = 
V and V ^ na and Vj : j < i => pZj\{Q) = na. Based on Prop. 7, 3i : val(ft i; V) G 
M where V ^ na and Vj : j < i =>• val(7£j, na) G M. Based on the Policy transforma- 
tion there is a rule decision.of ("P, TZi, V) <— va\(TZi, V) in 7T and Vj : j <iwe get that 
there are rules in the form decision_of (T 3 , TZj, na) <— va\(1Zj, na) in 77. Therefore, we 
have decision.of^, TZi, V) G MandVj : j < i we also have decision_of(7 :> , IZj, na) G 
M since M is a minimal model for 77. Thus, by Lemma 1, algo(fa, V , V) G M. 
(<=) Suppose that a\go(fa,V, V) G M. Based on Lemma 3, there is a clause in V 
where algo(fa, V, V) as the head and the body is true under M. There are several 
rules in V where algo(fa,7 :> , V) as the head. We can see that in each rule the body 
contains 3i : decision.of (V, IZi, V), V ^ na and Vj : j < i the body also con- 
tains decision-of^T 7 , IZj, na). Therefore 3i : decision.of (V, TZi, V) G M and Vj : 
j < i, decision_of(7 :> , TZj, na) G M. Based on Lemma 3, there is a clause where 
decision_of(7 3 , TZi, V) as the head and the body is true under M and Vj : j < i, 
there is decision_of(7 :> , TZj, na) as the head and the body is true under M. There is only 
one rule in V where decision_of (V, TZi, V) as the head, i.e., decision_of (V, TZi,V) 
va\(Ki,V). The same case for decision.offP, 7£j, na). Then. 3i : M(va\(TZi, V)) = T 
and Vj < i : M(va\(TZj, na)) = T. Therefore, 3i : val(7e j; V) G M and Vj : j < i => 
va\(TZj, na) G M. Based on Prop. 7, 3i : [7^](Q) = V and Vj : j < i => ^](Q) = 
na and and belong to the sequence inside Policy V. Therefore, based on (8) we 
obtain fa (R) = V. □ 

Combining Algorithm: Only-One-Applicable. 

Lemma 25. Let 77 = 77 Q U 77 ooa U n v be a program obtained by merging Request 
transformation program II q, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy V transformation program with its components 77 v . Let M 
be an answer set of II. Then, 

^(R) = id p ifandonlyif algolcc-a,? 3 , id P ) G M 

ooa 

where R = {TZ\(Q), . . . ,TZ n (Q)) be a sequence of policy value where each TZi is a 
Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that © ooa (R) = id P holds. Then, as defined in (10), we have that 

1. 3i : pZij(Q) = i dp . 

Based on Prop. 7, va\(TZi, id p ) G M. Based on the Policy transformation, there is a 
rule decision_of(7 :> , TZi, idp) ^ val(7£j, i dp ). Therefore, by Lemma 1, we find that 
decision_of(7 :> , TZi, idp) £ M. Thus, by Lemma 1, algo(ooa, V, id P ) G M. 

2. 3i,j : pZ^Q) - d and \TZ 3 \(Q) = p. 

Based on Prop. 7, va\(TZi, d) G M and va^T^,-, p) G M. Based on the Policy trans- 
formation, there are rules in 77 with the form decision_of (V, TZi, d) va\(TZi, d) 
and decision.of {V, TZj, p) <- va\(TZi,p). Therefore, by Lemma 1, we find that 
decision_of(7 J, ^i,d) G M and decision_of (V, TZi, p) G M. Thus, by Lemma 1, 
algofooa,??, id P ) G M. 



3. 3i,j: [Ki\{Q) = \i and lHj}(Q) = p. 

Based on Prop. 7, va\(lZi, i d ) G M and val(7£j, p) G M. Based on the Policy trans- 
formation there are rules in 77 in the form decision_of (T 5 , 7£j, d) <— val(72.j, id), and 
decision.o^T 7 , 7£j, p) «- val(7?.j,p). Then, by Lemma 1, decision_of (P, Hi, i d ) 
G M and decision.of (V, Hi, p) G M. Thus, by Lemma 1, algo(ooa, V , i dp ) G M. 

4. 3i,i:[7Z i ](Q)=dand[^](Q) = i p . 

Based on Prop. 7, val(7\^,d) G M and val(7?.j, i p ) G M. Based on the Policy trans- 
formation, there are rules in 77 in the form decision_of (V, Hi, d) ^— val(7£j, d). and 
decision_of(7 : ', 7£j, i p ) «— va\(Hi, i p ). Then, by Lemma 1, decision_of (V, Hi, 6) G 
M and decision_of (V, Hi, i p ) G M. Thus, by Lemma 1, algofooa, V, i dp ) G M. 

5. 3i,j:[72 i ](e) = i d and[^](Q) = i p . 

Based on Prop. 7, val(7^j, id) G M and val(7Zj, i p ) G M. Based on the Policy trans- 
formation there are rules in 77intheformdecision_of(7' , ,7\^, id) <— val(7£j, id), and 
decision_of(7 : ', Hj, i p ) «— va\(Hi, i p ). Then, by Lemma 1, decision_of (V, Hi, id) G 
M and decision_of (V, H t , i p ) G M. Thus by Lemma 1, algo(ooa, V, i dp ) G M. 

<=) Suppose that algofooa,?', i dp ) G M. Based on Lemma 3, there is a rule where 
lgo(ooa, V, i dp ) as the head and the body is true under M. There are five rules in 77, 
.e., 

1. algo(ooa,:P, i dp ) <- decision.of (V, H, i dp ). 

Then, M(decision_of(7 ;> , 7?., i dp )) = T. Therefore, decision_of (T 5 , 7?., i dp ) G M. 
Based on Lemma 3, there is a rule where decision_of (V, H, i dp ) G 717 as the head 
and the body is true under M. There is only one rule in 77, i.e., decision_of (V, H, i dp ) 
<— val(7?., i dp ). Then, M(va\(H, i dp )) = T. Therefore, val(7?., i dp ) G M. Based on 
Prop. 7, [7£]](Q) = i dp and H belongs to the sequence inside Policy V. Therefore, 
basedon(lO),0 ooa (R) = i dp 

2. algo(ooa, V, i dp ) decision.of (V, HI, i d ), decision_of (V, H2, i p ). 

Then, M(decision_of(7>, HI, i d ) A decision_of(7>, Hi), i p ) = T. Hence, we find 
that decision_of (V, HI, i d ) G A7 and decision_of (T 3 , H2, i p ) G M. Based on Lemma 
3, there is a rule where decision_of (V, HI, i d ) G M as the head and the body 
is true under M, i.e., decision_of (V, HI, i d ) «— va I (7^.1, id), and there is a rule 
where decision_of (V, H2, i p ) G M as the head and the body is true under M, 
i.e., decision_of [V, H2, i p ) <— val(72.2, i p ). Therefore, M(val(7?.l, id)) = T and 
M(val(TC2,i p )) = T . Then, val(7ei,i d ) G M and val^2,i p ) G 717. Based on 
Prop. 7, [7^1] (Q) = id and [ft2](Q) = i p and HI and ft2 belong to the sequence 
inside Policy V. Therefore, based on (10), © ooa (R) = id P - 

3. algo(ooa, V, id P ) decision_of (V, HI, id), decision_of (T 5 , H2, p). 

Then, we find that M(decision_of (V, HI, i d ) Adecision.of (V, H2), p) = T. There- 
fore, decision.of^, HI, i d ) G M and decision_of (7>, 7?.2, p) G M. Based on Lemma 
3, there is a rule where decision_of (V, HI, id) G M as the head and the body 
is true under 717, i.e., decision_of (V, HI, id) 4— val(7?l, id) and there is a rule 
where decision_of (V, H2, p) G M as the head and the body is true under 717, i.e., 
decision_of(:P, H2, p) val(7£2, p). Then, we find that M(val(^l, i d )) = T and 
M(val(7e2, p)) = T . Therefore, val(7ei, i d ) G M and val(7e2, p) G M. Based on 
Prop. 7, [7ei](Q) = i d and [7Z2](Q) = p and HI and H2 belong to the sequence 
inside Policy V. Therefore, based on (10), © ooa (R) = id P 

4. algo(ooa, V, id P ) <- decision.of (P, HI, d), decision.of (T 3 , H2, i p ). 

Then we find that M(decision_of (P, HI, d) Adecision.of^, H2), i p ) = T. There- 
fore, decision.of^, 72-1, d) G M and decision.of (T 5 , H2, i p ) G M. Based on Lemma 



3, there is a rule where decision_of (P, 721, d) G M as the head and the body 
is true under M, i.e., decision_of(7 :> , 72.1, d) <— val(721,d) and there is a rule 
where decision.of (P, 722, i p ) G M as the head and the body is true under M, i.e., 
decision_of(7 ? , 722, i p ) <- val(722, i p ). Then, we find that M(val(721, d)) = T and 
M(val(722, i p )) = T. Therefore, val(721, d) G M and val(722, i p ) G M. Based on 
Prop. 7, [721] (Q) = d and |722](Q) = i p and 721 and 722 belong to the sequence 
inside Policy P. Therefore, based on (10), © ooa (R) = id P 
5. algo(ooa, P, id p ) <— decision_of (P, 721, d), decision_of (P, 722, p). 

Then we find that M(decision_of (P, 721, d) A decision_of (P, 722), p) = T. There- 
fore, decision_of(7 :> , 721, d) G Manddecision_of(7 :> ,722, p) G M. Based on Lemma 
3, there is a rule where decision.of (P, 721, d) 6 M as the head and the body 
is true under M, i.e., decision.o^P, 721, d) val(721,d) and there is a rule 
where decision_of (T 5 , 722, p) £ Mas the head and the body is true under M, i.e., 
decision_of(7>, 722, p) ^- val(722, p). Then, we find that M(val(721, d)) = T and 
M(val(722, p)) = T. Therefore, val(721, d) G M and val(722, p) G M. Based on 
Prop. 7, [721] (Q) = d and [722] (Q) = p and 721 and 722 belong to the sequence 
inside Policy P. Therefore, based on (10), © ooa (R) = idp □ 

Lemma 26. Let II = LTq U 77 ooa U H v be a program obtained by merging Request 
transformation program 77 q, only-one-applicable combining algorithm transformation 
program 7J ooa and Policy V transformation program with its components LJ V '. Let M 
be an answer set of U. Then, 

^^(R) = id if and only if algo(ooa, V, id) G M 

ooa 

where R = (72i(Q), . . . ,72„(Q)) be a sequence of policy value where each 72i is a 
Rule in the sequence inside Policy V. 

Proof. Suppose that © ooa (R) = id holds. Then, as defined in (10), we have that 

1. Vi : [72j](Q) ^ (p or i p or i dp ) and 3j : Sj = i d 

Based on Prop. 7, Vz : val(72j, p) £ M, val(72 4 , i p ) ^ M and val(72i, i dp ) ^ M. 
Based on Prop. 7, 3j : val(72j, id) G M. Based on Lemma 25, algo(ooa, V, id p ) ^ 
M since if it is in M, there is a Rule 72 such that [72] (Q) = (p or i p or i dp ) Based 
on the Policy transformation there is a rule decision_of (V, IZj, id) <— va\(lZj, id). 
Then, by Lemma 1, decisional (P, 1Z 3 -, id) G M. Then, by Lemma 1, we obtain 
algofooa^, id) G M. 

2. \/i : [72^(2) ^ (p or i p or i dp ) and 3j, k : j ^ k and Sj = s k = d Based on Prop. 
7, Vi : val(72j, p) ^ M, val(72i, i p ) ^ M and val(72 l7 i dp ) ^ M since if they are in 
M it will lead a contradiction. Based on Prop. 7, 3j, k : j ^ k and val(72j, d) G 
M and va\(TZjkd) G M. Based on Lemma 25, algotooajT', id p ) ^ M since if 
it is in M, there is a Rule 72 such that [72] (Q) = (p or i p or id p ) Based on the 
Policy transformation there is a rule decision_of (P, IZj,d) <— va\(IZj,d). and there 
is a rule decision_of (P, 72^, d) val(72fc,d). Therefore decision_of(7 :, , 72^, d) G 
M and decision_of(7 :> , 72^, d) G M since M is the minimal model of 77. Thus, 
algo(ooa, P, id) G M since M is the minimal model of II. 

{<=) Suppose that algo(ooa,7 : ', id) G M. Based on Lemma 3, there is a rule where 
algo(ooa, P, id) as the head and the body is true under M. There are rules in 77 where 
algo(ooa, P, id) as the head, i.e., 



1. algo(ooa,P, id) <— not algo(ooa, T 7 , id P ), decision.of^, 7£, id). 

Then we find that M(not algo(ooa, V , id P ) A decision_of (V, H, id)) = T. There- 
fore, algo(ooa, V, id P ) ^ M and decision_of(P, H, id) £ M. Based on Lemma 25, 
© ooa (R) 7^ id p . Based on Lemma 3, there is a rule where decision_of (V, H, id) as 
the head and the body is true under M, i.e., decision_of (V, H, id) <— va\(lZ, id). 
Then we find that M(va\(R, id)) = T. Therefore, val(7£, id) £ M. Based on 
Prop. 7, [ft](Q) = id- Based on (10), Vi : [fti](Q) ^ (p or i p or i dp ) since 
0ooa(R) ^ 'dp- Therefore, based on (10), © ooa (R) - i d . 

2. algo(ooa, V, id) 4— not algo(ooa, V, id P ), decision-O^T- 1 , 7£1, d), 
decision_of(:P,:R.2,d),7ei ^ 7e2. 

Then, M(not algo(ooa, V, id p )Adecision_of (V, HI, d)Adecision_of(7 :> , 1Z2, d)) = 
T, HI ^ H2. Therefore, algo(ooa, V, i dp ) £ M and decision.of (V, HI, d) £ M 
and decision_of (7>, H2,d) e M,H1 ^ 112. Based on Lemma 25, ooa (R) ^ i dp . 
Based on Lemma 3, there is a rule where decision.of (V, HI, d) as the head and the 
body is true under M, i.e., decision_of (V, HI, d) «- val(7£l, d). Then we find that 
M(val(ftl, d)) = T. Therefore, va\(Hl, d) £ M. Based on Prop. 7, [ftl](Q) = 
d. Based on Lemma 3, there is a rule where decision_of (V, H2, d) as the head 
and the body is true under M, HI ^ H2. There is only one rule in 77 where 
decision.of (V, H2, d) as the head, i.e., decision.of (V, H2, d) <- val(^2, d)., ftl / 
H2. Then we find that M(val(ft2, d)) = T, HI ^ ft2. Therefore, val(TC2,d) £ 
M, HI ^ H2. Based on Prop. 7, [ft2](Q) = d. Based on (10), Mi : \Hi\{Q) ± 
(p or i p or i dp ) since ® ooa (R) / i dp . Therefore, based on (10), ® ooa (R) = i d . □ 

Lemma 27. Let 77 = 7T S U 77 ooa U JJ V be a program obtained by merging Request 
transformation program II q, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy V transformation program with its components II V . Let M 
be an answer set of II. Then, 

(J)(R) = i p if and only if algo(ooa, V, i p ) £ M 

ooa 

where R = (Hi(Q), . . . , H n (Q)) be a sequence of policy value where each Hi is a 
Rule in the sequence inside Policy V. 

Proof. Note: The proof is similar to the proof of Lemma 26. 

Lemma 28. Let LI = IIq U 77 ooa U II V be a program obtained by merging Request 
transformation program IIq, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy V transformation program with its components H v . Let M 
be an answer set of '77. Then, 

^J^(R) = p ifandonlyif algo(ooa, V, p) £ M 

ooa 

where R = (H\(Q), . . . , H n (Q)) be a sequence of policy value where each Hi is a 
Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that ® ooa (R) = p holds. Then, as defined in (10) we have 
that 3i : f£;](Q) = d and Vj : j ^ i, \Hj\{Q) = na. Based on Prop. 7, 3i : 
val(7^i, p) £ M. Based on Lemma 25, algo(ooa, ooa, id p ) ^ M since if it is in M, 
there exists a Rule H in Policy T^sequence such that |7£](Q) = i dp - Based on Lemma 



26, algo(ooa, ooa, id) $ M since if it is in M, there exists a Rule TZ in Policy T'sequence 
such that |7?.](Q) = id or there are at least two Rule elements TZI and TZ2, TZI ^ TZ2, 
such that [ftlJ(Q) = [ft2](Q) = d. Based on Lemma 27, algo(ooa, ooa, i p ) £ M 
since if it is in M, there exists a Rule TZ in Policy ^sequence such that [7£](Q) = i p 
or there are at least two Rule elements TZI and TZ2, TZI ^ TZ2, such that [7^1]] (Q) = 
[7\L2](Q) = p. Based on the Policy transformation there is a rule decision_of (T 5 , TZi, p) <— 
val(^i, p). Therefore decision.of (T 5 , p) G M and decision.of {V, TZ 3 ;, na) G M 
since M is the minimal model of 77. Thus, algo(ooa, V, p) G M since M is the min- 
imal model of 77. 

(<=) Suppose that algo^oa,? 5 , p) G M. Based on Lemma 3, there is a rule where 
algo(ooa, V, d) as the head and the body is true under M. There are rules in 77 where 
algo(ooa, V, d) as the head, i.e., algo(ooa, V, id) ^— not algo(ooa, V , id P ), 
not algo(ooa, V, id), not algo(ooa, V, i p ), decision.of (V, TZ, p). 
Then, we find that A7(not algo(ooa, V, id p )Anot algo(ooa, V, id)Anot algo(ooa, V, i p ) 
Adecision_of(7 : ',7?., id)) = T. Therefore, algo(ooa, V, id P ) ^ M, algo(ooa, V, id) & 
M, algo(ooa, 7>, i p ) £ M and decision.of (V, TZ, i d ) G M. By Lemma 25, © ooa (R) + 
id P . By Lemma 26, © ooa (R) 7^ id- By Lemma 27, © ooa (R) # i P - By Lemma 3, there 
is a rule where decision.of (V, TZ, p) as the head and the body is true under M, i.e., 
decision_of (V, TZ, p) <r- va\(TZ, p). Then we find that M(val(7?., id)) = T. Therefore, 
val(ft,p) G M. Based on Prop. 7, [7e](Q) = p. Based on (10), Vi : lTZ t \{Q) ^ 
(p or i p or i dp ) since ooa (R) ^ idp- Based on (10), Vi : [ft»](Q) ^ id or there are 
no two rules which fTZlj(Q) = fTZ2j(Q) = d since ooa (R) ^ i d - Based on (10), 
Vz : MQ) ^ i P or p since © ooa (R) ? i P - Therefore, based on (10), © ooa (R) - p. 

□ 

Lemma 29. Let 77 = 77 s U 77 ooa U II V be a program obtained by merging Request 
transformation program LTq, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy V transformation program with its components LJ V . Let M 
be an answer set of II. Then, 

0(R) = d if and only if algo(ooa, V, d) G M 

ooa 

where R = (TZi(Q), . . . , TZ n (Q)) be a sequence of policy value where each TZi is a 
Rule in the sequence inside Policy V. 

Proof. Note: The proof is similar to the proof of Lemma 28. 

Lemma 30. Let II = LJq U 77 ooa U LT V be a program obtained by merging Request 
transformation program LJq, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy V transformation program with its components LJ V . Let M 
be an answer set of II. Then, 

^J^(R) = na ifandonlyif algo(ooa, V, na) G M 

ooa 

where R = (TZi{Q), . . . , TZ n (Q)) be a sequence of policy value where each TZi is a 
Rule in the sequence inside Policy V. 

Proof. (=>) Suppose that (R) = na holds. Then, as defined in (8) we have that 
©ooa(R) ± idp, © ooa (R) + id, © ooa (R) ± i P , © ooa (R) + d, and © ooa (R) p. 



By Lemma 25, algo(ooa, V 1 i dp ) ^ M. By Lemma 26, algo(ooa, V, i d ) ^ M. By 
Lemma 27, algo(ooa, P, i p ) g" A'/. By Lemma 28, algo(ooa, P, p) g" A'/. By Lemma 
29, algo(ooa,P,d) ^ M. Thus, M(not algo(ooa, P, i dp ) A not algo(ooa, V, i d ) A 
not algo(ooa, P, i p ) A not algo(ooa, P, d) A not algo(ooa, V, p)) = T Therefore, 
algo(ooa, P, na) G M since M is the minimal model of 77. 

(<=) Suppose that algo(ooa, P, na) G M. Based on Lemma 3, there is a rule where 
algo(ooa, P, na) as the head and the body is true under M. There is only a rule in 77 
where algo(ooa, P, na) as the head, i.e., algo(ooa, P, na) 4— not algo(ooa, P, id p ), 
not algo(ooa, P, id), not algo(ooa, P, i p ), not algo(ooa, P, d), not algo(ooa, P, p). 
Then we find that M(not algo(ooa, P, id p )Anot algo(ooa, P, id)Anot algo(ooa, P, i p ) 
Anot algo(ooa, P, d) A not algo(ooa, P, p)) = T. Therefore, algo(ooa, P, i dp ) g" M, 
algo(ooa, P, id) ^ M, algo(ooa, P, i p ) g" M, algo(ooa, P, d) g" M and algo(ooa, P, p) 
^ M. By Lemma 19, ooa (R) + i dp . By Lemma 20, ooa (R) / i dp . By Lemma 21, 
ooa (R) ± i p . By Lemma 22, ooa (R) + i p . By Lemma 23, ooa (R) / i p . There- 
fore, based on (8), ooa (R) = na □ 

Proposition 10. Let 77 = 77 s U77 ooa U77 p be a program obtained by merging Request 
transformation program IIq, only-one-applicable combining algorithm transformation 
program 77 ooa and Policy P transformation program with its components H v . Let M 
be an answer set of II. Then, 

@(R) = V ifandonlyif algo(ooa, P, V) G M 

ooa 

where R = (Ri(Q), ■ . ■ , TZ n (Q)) be a sequence of policy value where each Hi is a 
Rule in the sequence inside Policy P. 

Proof. It follows from Lemma 25, Lemma 26, Lemma 27, Lemma 28, Lemma 29 and 
Lemma 30 since the value of V only has six possibilities, i.e., { p, d, i p , id, i dp , na }. □ 

Evaluation to Combining Algorithms. 

Proposition 11. Let II = TIq U 77c om biD U II V be a program obtained by merging 
Request transformation program IIq, combining algorithm transformation program 
-^CombiD and Policy V transformation program with its components II v . Let M be an 
answer set of II. Then, 

0(R) = V ifandonlyif algo(ComblD, P, V) G M 

CombID 

where R = (P~i(Q), . . . , 1Z n (Q)) be a sequence of policy value where each Hi is a 
Rule in the sequence inside Policy P. 

Proof. It follows from Prop. 8, Prop. 9 and Prop. 10. □ 
Policy Evaluation. 

Lemma 31. Let II = IIq U TI V be a program obtained by merging Request trans- 
formation program TIq Policy V transformation program and its components II V . Let 
M be an answer set of II. Then, 



[P](Q) = id#val(P,i d )GM. 



Proof. (=>) Suppose that [7] (2) = id holds. Then, as defined in (7) we have that 

1. [T](Q) = idtand0 Comb|D (R) = d. Based on Prop. 5 and Prop. 11, val(T, idt) £ 
M and algo(ComblD, V, d) G M. Thus, M(val(T, idt) A algo(ComblD, 7, d)) = 
T. Hence, by Lemma 1, val(7, id) G M. 

2. [71(0 = idt and © ComblD (R) = i d and Vz : M2) # na. Based on Prop. 5 
and Prop. 11, val(7, idt) G M and algo(ComblD, 7, i d ) £ M. Based on Prop. 7, 
3i : va\(Ki,V) £ M,V ± na. Therefore, we have decision.of (7, TZ t , V) G M 
since M is the minimal model of 77 Thus, M(val(7, idt) A algo(ComblD, 7, i d ) A 
decision_of(7, TZ U V) A (V ^ na)) = T. Hence, by Lemma 1, val(7, i d ) G M. 

3. [71(0 = m and © Comb , D (R) = id and W : [7^(2) + ™- Based on Prop. 5 
and Prop. 11, val(7, m) G M and algo(ComblD, V, i d ) G M. Based on Prop. 7, 
3i : val(7ii,V) G M, V / na. Therefore, we have decision_of (7, 7£,, V") G M 
since M is the minimal model of 77 Thus, M(val(7, m) A algo(ComblD, V, id) A 
decision_of(P,7^,T0 A (V ^ na)) = T. Therefore, val(7,i d ) G M since M is 
the minimal model of 77. 

{<=) Suppose that va I (7, id) G M. Based on Lemma 3, there is a clause where val(7, id) 
as the head and the body is true under M. There are rules in 77 where val(7, id) as the 
head, i.e., 

1. val(7, i d ) <- val(7, idt), algo(ComblD, 7, d). 

Then, M(val(7, idt) A algo(ComblD, 7, d)) = T. Therefore, va I (7, idt) G M 
and algo(ComblD,7,d) G M. Based on Prop. 5 and Prop. 11, [71(2) = idt and 
©Combi D ( R ) = d - Therefore, based on (7), \V\{Q) = i d . 

2. val(7, i d ) <- val(7, idt), decision.of (7, TZ, V), V ^ na, algo(ComblD, 7, i d ), id + 
d. 

Then, M(val(7, idt) A decision.of (7, TZ, V) A (V ^ na) A algo(ComblD, 7, i d ) A 
(i d / d)) = T. Therefore, val(7, idt) G M, decision_of(7, TZ, V) £ M, V ^ na 
andalgo(ComblD,7,i d ) £ M. Based on Prop. 5 and Prop. 11, [71 (Q) = idt and 
Comb i D (R) = id- Based on Lemma 3, there is a clause where decision_of (V, TZ, V) 
as the head and the body is true under M, There is a rule 77 where decision_of (7, TZ, V) 
as the head, i.e., decision.of (7, TZ, V) <- va\(TZ, V). Then we find that M(val {TZ, V)) = 
T. Thus, va\{TZ,V) £ M. Based on Prop. 7, pZj(Q) = V, V ^ na. Therefore, 
based on (7), [7J(2) = 'd- 

3. val(7, i d ) <- val(7, m), decision.of (V, TZ, V), V ^ na, algo(ComblD, 7, id). 

Then we find that M(val(7,m)Adecision_of(7',7e, V)A(V ^ na)Aalgo(ComblD, 7, i d )) 
T. Therefore, va I (7, m) G M, decision.of (7, TZ, V) G M,V ^ na and algo(ComblD, 7, 
M. Based on Prop. 5 and Prop. 11, [71(2) = m and © Co mbiD( R ) = '<■• Based on 
Lemma 3, there is a clause where decision.of (7, TZ, V) as the head and the body 
is true under M. There is a rule 77 where decision_of (7, TZ, V) as the head, i.e., 
decision_of(7, TZ, V) <- val(ft, V). Then we find that M(va\(TZ, V)) = T. Thus, 
va\(TZ, V) £ M. Based on Prop. 7, [7£](2) = V, V ^ na. Therefore, based on 
(7), lVj(Q) = i d . ' □ 

Lemma 32. Lef JJ = JJ Q U n v be a program obtained by merging Request trans- 
formation program TJq Policy 7 transformation program and its components TJ V . Let 
M be an answer set of 77. Then, 



[71(2) = i P 



if and only if 



val(7,i p ) £M 



Proof. Note: The proof is similar with the proof in Lemma 3 1 . 

Lemma 33. Let U = H q U H v be a program obtained by merging Request trans- 
formation program IIq Policy V transformation program and its components LJ V . Let 
M be an answer set of II. Then, 

XP\{Q) = na ifandonlyif val(7>, na) G M . 

Proof. (=>) Suppose that |"P](Q) = na holds. Then, as defined in (7) we have that 

1. [71(2) = nm. Based on Prop. 5, val(T, nm) G M. Thus, M(val(T, nm)) = T. 
Therefore, va\(V, na) G M since M is the minimal model of 77. 

2. Mi : {TliKQ) = na. Based on Prop. 7, Vi : val(7e 4 ,na) G M. Thus, M(val(72i, na)A 
... A val(7£„, na)) = T. Therefore, va^P, na) G M since M is the minimal model 

of n. 

(<=) Suppose that va\(V, i d ) G M. Based on Lemma 3, there is a clause where va\(V, i p ) 
as the head and the body is true under M. There are rules in 77 where va\(V, i p ) as the 
head, i.e., 

1. val(7>,na) <- val(7,nm). Then we find that M(val(T,nm)) = T. Therefore, 
val(7, nm) G M. Based on Prop. 5, [71 (Q) = na. Therefore, based on (7), 
m(Q) = na. 

2. val("P, na) <- val(7£i, na), . . . ,val(7£„, na). Then we find that M(val(7£i, na) A 
... A val(7^ n , na)) = T. Therefore, Mi : va\(TZi, na) G M. Based on Prop. 7, 
Vi : I^](Q) = na. Therefore, based on (7), [PKQ) = na. □ 

Lemma 34. Let II = IIq U 77 v be a program obtained by merging Request trans- 
formation program IIq Policy V transformation program and its components II V . Let 
M be an answer set of II. Then, 

{V\{Q) = i dp ifandonlyif val(P, i dp ) G M . 

Proof. (=>) Suppose that [7l(<2) = id P holds. Then, as defined in (7) we have that 

1. [T](e) = idtand0 ComblD (R) = i dp and : [Ki}(Q) + n a. Based on Prop. 
5 and Prop. 11, val(7, idt) G M and algo(ComblD, V, i dp ) G M. Based on Prop. 
7, 3i : val(7e 4 , V) G M, V ^ na. Therefore, we have decision.of (V, K l , V) G M 
since M is the minimal model of 77 Thus, M(val(7, idt) Aalgo(ComblD, V, i dp ) A 
decision_of(7 ? , TZ l7 V) A (V ^ na)) = T. Therefore, va\{V, i dp ) G M since M is 
the minimal model of 77. 

2. [71(2) = m and © C ombi D ( R ) = id P and Vz : pl t j(Q) ^ na. Based on Prop. 5 
and Prop. 11, val(7, m) G M and algo(ComblD, V, i dp ) G M. Based on Prop. 7, 
3i : va\(Ki,V) G M,V ± na. Therefore, we have decision.of (V, TZ l , V) G M 
since M is the minimal model of 77 Thus, M(val(7, m) A algo(ComblD, V, i dp ) A 
decision_of(7 ? , 7^ ^ , V) A (V ^ na)) = T. Therefore, \/a\(V, i dp ) G M since M is 
the minimal model of 77. 

(<=) Suppose that \ia\{V, i dp ) G M. Based on Lemma 3, there is a clause where 
va\(V, i dp ) as the head and the body is true under M. There are rules in 77 where 
va\(V, i dp ) as the head, i.e., 



1. va\(V, id P ) <— val(T, idt) , decision.of (V, TZ, V), V ^ na, algo(ComblD, V, id P ), id P ^ 

d. Then we find that M(val(T, idt)Adecision_of (V, TZ, V)A(V ^ na)Aalgo(ComblD, V, i dp )A 
(id P + d)) = T. Therefore, val(T, idt) G M, decision_of(7>, TZ, V) G M, V ^ na 
andalgo(ComblD,7>,i dp ) G M. Based on Prop. 5 and Prop. 11, [71(2) = idt and 
©CombiD ( R ) = ' d P- B ase d on Lemma 3, there is a clause where decision_of (V, TZ, V) 
as the head and the body is true under M. There is a rule 77 where decision_of (V, TZ, V) 
as the head, i.e., decision.of (V, TZ, V) ±- va\{TZ, V). Then we find that M(va\(TZ, V)) = 
T. Thus, va\(TZ,V) G M. Based on Prop. 7, pZj(Q) = V, V ^ na. Therefore, 
based on (7), \V\{Q) = i dp . 

2. va^Pjidp) val(T, m), decision_of (T 5 , TZ, V), V ^ na, algo(ComblD, V, id P ). 

Then we find thatM(val(r,m)Adecision_of(P,^,y)A(F ^ na)Aalgo(ComblD, P, i dp )) = 
T. Therefore, va I (T, m) G M, decision.of (V, TZ, V) G M, V ^ na and algo(ComblD, V, i dp ) € 
M. Based on Prop. 5 and Prop. 11, [71(2) = m an d Comb | D (R.) = id P - Based on 
Lemma 3, there is a clause where decision.of (V, TZ, V) as the head and the body 
is true under 717. There is a rule 77 where decision_of (V, TZ, V) as the head, i.e., 
decision_of(7', TZ, V) va\(TZ, V). Then we find that M(va\(TZ, V)) = T. Thus, 
va\{TZ, V) G M. Based on Prop. 7, fR,}{Q) =V,V=£ na. Therefore, based on 
(7), lVj(Q) = i dp . ' □ 

Lemma 35. Let LJ = LJq U II v be a program obtained by merging Request trans- 
formation program LJq Policy V transformation program and its components LJ V . Let 
717 be an answer set of U. Then, 

fPj(Q) = P if and only if val(7>, p) G M . 

Proof. (=>) Suppose that [7-1(2) = p holds. Then, as defined in (7) we have that 
[71(2) = m and © ComblD (R) = p and : [7^] (2) + na. Based on Prop. 5 
and Prop. 11, val(7~, m) <G 717 and algo(ComblD, V, p) G M. Based on Prop. 7, 
3i : va\(TZ t ,V) G 717, V ± na. Therefore, we have decision.of (7>, TZ l , V) G 717 
since M is the minimal model of 77 Thus, M(val(7~, m) A algo(ComblD, V , p) A 
decision_of(7',7e 4 , V) A (V ^ na)) = T. Therefore, val(7>, p) G M since M is the 
minimal model of 77. 

(<=) Suppose that va^T 7 , id) G M. Based on Lemma 3, there is a clause where \ia\(P, i d ) 
as the head and the body is true under 717. There are rules in 77 where val^, i d ) as the 
head, i.e., \ia\{V, p) <- val(T, m), decision.of (V, TZ, V), V ^ na, algo(ComblD, V, p). 
Then we find that 717 (va 1(7", m)Adecision_of(7>, ft, F)A(y ^ na)Aalgo(ComblD, V, p)) = 
T. Therefore, val(T, m) G M, decision.of (V, TZ, V) G M, V ^ na and algo(ComblD, V, p) G 
717. Based on Prop. 5 and Prop. 11, [71(2) = m and Com biD( R ) = P- Based on 
Lemma 3, there is a clause where decision_of (V, TZ, V) as the head and the body is true 
under M. There is a rule 77 where decision.of^, TZ, V) as the head, i.e., decision_of (V, TZ, V) «- 
va\(TZ, V). Then we find that M{\ia\{1Z, V")) = T. Thus, va\{TZ, V) G M. Based on 
Prop. 7, pZj(Q) = V, V / na. Therefore, based on (7), fP](2) = P- □ 

Lemma 36. Let 77 = 77g U U v be a program obtained by merging Request trans- 
formation program LIq Policy V transformation program and its components LJ V . Let 
M be an answer set of LJ. Then, 

fPj(Q) = d ifandonlyif val(7>,d) G M . 

Proof. (==>) Suppose that [P]](Q) = d holds. Then, as defined in (7) we have that 
[71(2) = m and © ComblD (R) = d and V^ : ^1(2) ¥= na. Based on Prop. 5 



and Prop. 11, val(T, m) G M and algo(ComblD, 7>, d) e M. Based on Prop. 7, 
3z : val(7^,V) G M,V 7^ na. Therefore, we have decision.of (7>, TZ l , V) G M 
since M is the minimal model of 77 Thus, M(val(T, m) A algo(ComblD, T 7 , d) A 
decision_of(7 :, ,7e 4 , V") A(y / na)) = T. Therefore, val(7>,d) G M since M is the 
minimal model of 77. 

(<=) Suppose that va I (V, id) G M. Based on Lemma 3, there is a clause where va^T- 1 , id) 
as the head and the body is true under M. There are rules in 77 where va\(P, id) as the 
head, i.e., va\(P,d) <- val(T, m), decision_of(P, TZ, V),V ^ na, algo(ComblD, V, d). 
Then we find that M(val(T, m)Adecision_of(P,ft, F)A(V ^ na)Aalgo(ComblD, V, d)) = 
T. Therefore, val(T, m) G M, decision_of (V, TZ, V) G M, V ^ na and algo(ComblD, V, d) G 
M. Based on Prop. 5 and Prop. 11, [71 (Q) = m and Com biD( R ) = d - Based on 
Lemma 3, there is a clause where decision_of (P, TZ, V) as the head and the body is true 
under M. There is a rule 77 where decision_of(7 J> , TZ, V) as the head, i.e., decision_of (V, TZ, V) ^~ 
val(7e, V). Then we find that M(va\(TZ, V)) = T. Thus, val(7e, V) G M. Based on 
Prop. 7, {TZj (Q) = V, V ^ na. Therefore, based on (7), [P](Q) = d. □ 

Proposition 12. Lef 77 = 77q U TI v be a program obtained by merging Request trans- 
formation program Uq Policy V transformation program and its components H v . Let 
M be an answer set of II. Then, 

fPj(Q) = V ifandonlyif va\(V,V) € M . 

Proof. It follows from Lemma 31, Lemma 32, Lemma 33, Lemma 34, Lemma 35 and 
Lemma 36 since the value of V only has six possibilities, i.e., { p, d, i p , id, id P , na }. □ 

Evaluation to XACML Component. 

Corollary 1. Let II = JJq U 77 MCMt be a program obtained by merging Request trans- 
formation program JJq and all XACML components transformation programs n mcML . 
Let M be an answer set of II. Then, 

IXj(Q) = V if and only if va\(X, V) G M 

where X is an XACML component. 



Proof. It follows from Prop. 2, Prop. 3, Prop. 4, Prop. 5, Prop. 6, Prop. 7 and Prop. 
12. ' □ 



